[MAVEN:GHSA-R65J-6H5F-4F92] Withdrawn: JJWT improperly generates signing keys

Severity Moderate
Affected Packages 1
CVEs 1

Withdrawn Advisory

This advisory has been withdrawn because it has been found to be disputed. Please see the issue here for more information.

Original Description

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class.

Package Affected Version
pkg:maven/io.jsonwebtoken/jjwt-impl <= 0.12.5
ID
MAVEN:GHSA-R65J-6H5F-4F92
Severity
moderate
URL
https://github.com/advisories/GHSA-r65j-6h5f-4f92
Published
2024-04-01T03:30:38
(3 weeks ago)
Modified
2024-04-03T14:53:00
(2 weeks ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/io.jsonwebtoken/jjwt-impl io.jsonwebtoken jjwt-impl <= 0.12.5
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date
Loading...