Fluid Attacks Database

Description

Withdrawn: JJWT improperly generates signing keys

Withdrawn Advisory

This advisory has been withdrawn because it has been found to be disputed. Please see the issue here for more information.

Original Description

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	io.jsonwebtoken:jjwt-impl	<0	-
maven	io.jsonwebtoken:jjwt-root	>=0 <=0.12.5	0.12.6

Aliases

1. CVE-2024-310332. NVD-2024-310333. OSV-2024-310334. GHSA-r65j-6h5f-4f925. GCVE-2024-31033

References

1. https://github.com/jwtk/jjwt/issues/930#issuecomment-20326993582. https://github.com/2308652512/JJWT_BUG3. https://github.com/jwtk/jjwt/blob/26948610fbef81eba867cbaad54b516d1874c70a/impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParserBuilder.java#L2424. https://www.viralpatel.net/java-create-validate-jwt-token5. https://github.com/jwtk/jjwt

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.