Use of a Broken or Risky Cryptographic Algorithm
CVE-2024-31033
Summary
JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the "setSigningKey()" method within the "DefaultJwtParser" class and the "signWith()" method within the "DefaultJwtBuilder" class. NOTE: The vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- REQUIRED
- NONE
- HIGH
- NONE
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
Advisory Timeline
- Published