[MAVEN:GHSA-R65J-6H5F-4F92] Withdrawn: JJWT improperly generates signing keys

Severity Moderate

Affected Packages 1

CVEs 1

Withdrawn Advisory

This advisory has been withdrawn because it has been found to be disputed. Please see the issue here for more information.

Original Description

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class.

Package	Affected Version
pkg:maven/io.jsonwebtoken/jjwt-impl	<= 0.12.5

ID: MAVEN:GHSA-R65J-6H5F-4F92
Severity: moderate
URL: https://github.com/advisories/GHSA-r65j-6h5f-4f92
Published: 2024-04-01T03:30:38
(3 months ago)
Modified: 2024-04-03T14:53:00
(3 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2024-31033
			https://github.com/2308652512/JJWT_BUG
			https://github.com/jwtk/jjwt
			https://www.viralpatel.net/java-create-validate-jwt-token
			https://github.com/jwtk/jjwt/blob/26948610fbef81eba867cbaad54b516d1874c70a/impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParserBuilder.java#L242
			https://github.com/jwtk/jjwt/issues/930#issuecomment-2032699358
			https://github.com/advisories/GHSA-r65j-6h5f-4f92

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/io.jsonwebtoken/jjwt-impl	io.jsonwebtoken	jjwt-impl	<= 0.12.5

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date