Showing 1 - 9 of 9

CVE-2023-37464

Status Candidate

Overview

OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).

Related Files

Ubuntu Security Notice USN-6307-1: Posted Aug 25, 2023; Authored by Ubuntu | Site security.ubuntu.com; Ubuntu Security Notice 6307-1 - It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. An attacker could use this to cause a denial of service or might expose sensitive information.; tags | advisory, denial of service; systems | linux, ubuntu; advisories | CVE-2023-37464; SHA-256 | 0fe1a24114e00e5ae9f25a559d718911b8f95a69aeb879b5dabc16383b1d3100; Download | Favorite | View

Debian Security Advisory 5472-1: Posted Aug 9, 2023; Authored by Debian | Site debian.org; Debian Linux Security Advisory 5472-1 - It was discovered that an incorrect implementation of AES GCM decryption in cjose, a C library implementing the JOSE standard may allow an attacker to provide a truncated Authentication Tag and modify the JWE object.; tags | advisory; systems | linux, debian; advisories | CVE-2023-37464; SHA-256 | e815ed796d98716daec24718d9f1e8fca1f08e0f4680903994da1dabbc41af77; Download | Favorite | View

Red Hat Security Advisory 2023-4429-01: Posted Aug 2, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-4429-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.; tags | advisory, web; systems | linux, redhat; advisories | CVE-2023-37464; SHA-256 | 84e4fa4c9b723f028eda570601609ad7ebfc7fe269bbe166be52f190e0c0e177; Download | Favorite | View

Red Hat Security Advisory 2023-4417-01: Posted Aug 2, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-4417-01 - CJose is C library implementing the Javascript Object Signing and Encryption.; tags | advisory, javascript; systems | linux, redhat; advisories | CVE-2023-37464; SHA-256 | 22c3bb74d9c2e542f865f639c88c79b425277c88a060f4e27bf5dbe20a578efb; Download | Favorite | View

Red Hat Security Advisory 2023-4418-01: Posted Aug 2, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-4418-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.; tags | advisory, web; systems | linux, redhat; advisories | CVE-2023-37464; SHA-256 | 0a1d5bf1e533e63b02c6e841cbe1f36306457fe7553ff9cafa89fb500b756835; Download | Favorite | View

Red Hat Security Advisory 2023-4411-01: Posted Aug 1, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-4411-01 - CJose is C library implementing the Javascript Object Signing and Encryption.; tags | advisory, javascript; systems | linux, redhat; advisories | CVE-2023-37464; SHA-256 | dccddcd552f7680d2e72aefb3cffd84471aa6a23a83e150e4d8ca50f00633b60; Download | Favorite | View

Red Hat Security Advisory 2023-4410-01: Posted Aug 1, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-4410-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.; tags | advisory, web; systems | linux, redhat; advisories | CVE-2023-37464; SHA-256 | 962a03700cdaf2b77f70083e13671a7f51883c7dd8caf31e5fcb70c908ba55ca; Download | Favorite | View

Red Hat Security Advisory 2023-4409-01: Posted Aug 1, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-4409-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.; tags | advisory, web; systems | linux, redhat; advisories | CVE-2023-37464; SHA-256 | 40ffbac1f3fe480270dd9f44f9d7529da5cc4f57c4e56941745de21f93adbf30; Download | Favorite | View

Red Hat Security Advisory 2023-4408-01: Posted Aug 1, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-4408-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.; tags | advisory, web; systems | linux, redhat; advisories | CVE-2023-37464; SHA-256 | 1efff2ead8b420c3c676224349d5410ab7d79630c905f83d260e8b9095357348; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 270 files
Ubuntu 54 files
Gentoo 33 files
Debian 26 files
Ahmet Umit Bayram 10 files
Apple 9 files
malvuln 7 files
Jann Horn 5 files
Google Security Research 5 files
nu11secur1ty 4 files

File Archives

Systems

AIX (429)
Apple (2,088)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,051)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,500)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,873)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,976)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,535)
UNIX (9,409)
UnixWare (187)
Windows (6,660)
Other

CVE-2023-37464

Overview

Related Files

File Archive:

June 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems