CVE-2024-31033 (GCVE-0-2024-31033)

Vulnerability from cvelistv5 – Published: 2024-04-01 00:00 – Updated: 2024-08-27 17:59 Disputed
VLAI?
Summary
JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.
Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard Create KEV Entry 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:46:04.353Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/jwtk/jjwt"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.viralpatel.net/java-create-validate-jwt-token/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/2308652512/JJWT_BUG"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/jwtk/jjwt/issues/930#issuecomment-2032699358"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:jwtk:jjwt:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "jjwt",
            "vendor": "jwtk",
            "versions": [
              {
                "lessThanOrEqual": "0.12.5",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.8,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-31033",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-01T18:18:57.748023Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-27T17:59:14.397Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the \"ignores\" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-03T02:44:04.781181",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/jwtk/jjwt"
        },
        {
          "url": "https://www.viralpatel.net/java-create-validate-jwt-token/"
        },
        {
          "url": "https://github.com/2308652512/JJWT_BUG"
        },
        {
          "url": "https://github.com/jwtk/jjwt/issues/930#issuecomment-2032699358"
        }
      ],
      "tags": [
        "disputed"
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-31033",
    "datePublished": "2024-04-01T00:00:00",
    "dateReserved": "2024-03-27T00:00:00",
    "dateUpdated": "2024-08-27T17:59:14.397Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-31033\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-04-01T02:15:07.850\",\"lastModified\":\"2024-11-21T09:12:45.350\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[{\"sourceIdentifier\":\"cve@mitre.org\",\"tags\":[\"disputed\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the \\\"ignores\\\" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.\"},{\"lang\":\"es\",\"value\":\"JJWT (tambi\u00e9n conocido como Java JWT) hasta 0.12.5 ignora ciertos caracteres y, por lo tanto, un usuario podr\u00eda concluir err\u00f3neamente que tiene una clave segura. El c\u00f3digo afectado es el m\u00e9todo setSigningKey() dentro de la clase DefaultJwtParser y el m\u00e9todo signWith() dentro de la clase DefaultJwtBuilder.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.2}]},\"references\":[{\"url\":\"https://github.com/2308652512/JJWT_BUG\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/jwtk/jjwt\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/jwtk/jjwt/issues/930#issuecomment-2032699358\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.viralpatel.net/java-create-validate-jwt-token/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/2308652512/JJWT_BUG\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/jwtk/jjwt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/jwtk/jjwt/issues/930#issuecomment-2032699358\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.viralpatel.net/java-create-validate-jwt-token/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/jwtk/jjwt\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.viralpatel.net/java-create-validate-jwt-token/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/2308652512/JJWT_BUG\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/jwtk/jjwt/issues/930#issuecomment-2032699358\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T01:46:04.353Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-31033\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-01T18:18:57.748023Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:jwtk:jjwt:*:*:*:*:*:*:*:*\"], \"vendor\": \"jwtk\", \"product\": \"jjwt\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"0.12.5\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-27T17:59:09.099Z\"}}], \"cna\": {\"tags\": [\"disputed\"], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://github.com/jwtk/jjwt\"}, {\"url\": \"https://www.viralpatel.net/java-create-validate-jwt-token/\"}, {\"url\": \"https://github.com/2308652512/JJWT_BUG\"}, {\"url\": \"https://github.com/jwtk/jjwt/issues/930#issuecomment-2032699358\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the \\\"ignores\\\" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2024-04-03T02:44:04.781181\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-31033\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-27T17:59:14.397Z\", \"dateReserved\": \"2024-03-27T00:00:00\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2024-04-01T00:00:00\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.