Techini / vulnado

Purposely vulnerable Java application to help lead secure coding workshops
Apache License 2.0
0 stars 0 forks source link

CVE-2024-31033 (High) detected in jjwt-impl-0.10.5.jar - autoclosed #171

Closed mend-bolt-for-github[bot] closed 6 months ago

mend-bolt-for-github[bot] commented 7 months ago

CVE-2024-31033 - High Severity Vulnerability

Vulnerable Library - jjwt-impl-0.10.5.jar

JSON Web Token support for the JVM and Android

Library home page: https://github.com/jwtk/jjwt

Path to dependency file: /pom.xml

Path to vulnerable library: /downloadResource_be9e7f78-c1b5-4680-921c-c131e1f3bfc0/20200212161001/jjwt-impl-0.10.5.jar

Dependency Hierarchy: - :x: **jjwt-impl-0.10.5.jar** (Vulnerable Library)

Found in HEAD commit: ab278c56e06e40f26bf6d27435897d8def3fa02e

Found in base branch: master

Vulnerability Details

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class.

Publish Date: 2024-04-01

URL: CVE-2024-31033

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.


Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] commented 6 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.