#VU91833 Cryptographic issues in JOSE


Published: 2024-06-12

Vulnerability identifier: #VU91833

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-33663

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JOSE
Universal components / Libraries / Libraries used by multiple products

Vendor: Michael Davis

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to algorithm confusion with OpenSSH ECDSA keys and other key formats. A remote attacker can perform MitM attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

JOSE: 0.1.5 - 3.3.0

External links
http://github.com/mpdavis/python-jose/issues/346

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Ansible Automation Platform 2.4 packages
Algorithm confusion in python-jose