#VU83977 Insufficient entropy in jose4j - CVE-2023-31582

Cybersecurity Help s.r.o.

Published: 2023-12-07

Vulnerability identifier: #VU83977

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-31582

CWE-ID: CWE-331

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jose4j
Universal components / Libraries / Libraries used by multiple products

Vendor: jose4j

Description

The vulnerability allows a remote attacker to brute-force JWT token.

The vulnerability exists due to usage of insufficient entropy when generating JWT token. A remote attacker can brute-force the JWT token and gain unauthorized access to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jose4j: 0.1.0 - 0.9.2

External links
https://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then
https://github.com/KANIXB/JWTIssues/blob/main/jose4j%20issue.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM Sterling B2B Integrator update for WebSphere Application Server

Multiple vulnerabilities in Dell ObjectScale

Multiple vulnerabilities in Dell PowerStoreT OS

Multiple vulnerabilities in Dell PowerStore Family

Multiple vulnerabilities in IBM QRadar SIEM

Multiple vulnerabilities in Netcool Operations Insight

Multiple vulnerabilities in IBM Operations Analytics Predictive Insights

SUSE update for Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server

Insufficient entropy in IBM Business Automation Workflow

Multiple vulnerabilities in IBM Cloud Pak for Business Automation