CVE-2023-37464
- ULN >
- Oracle Linux CVE repository >
- CVE-2023-37464
CVE Details
| Release Date: | 2023-07-14 |
Description
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).
See more information about CVE-2023-37464 from MITRE CVE dictionary and NIST NVD
CVSS v3.0 metrics
NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.
| Base Score: | 7.5 | Base Metrics: | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Access Vector: | Network | Attack Complexity: | Low |
| Privileges Required: | None | User Interaction: | None |
| Scope: | Unchanged | Confidentiality Impact: | None |
| Integrity Impact: | High | Availability Impact: | None |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 8 (cjose) | ELSA-2023-4418 | 2023-08-02 |
| Oracle Linux version 8 (mod_auth_openidc) | ELSA-2023-4418 | 2023-08-02 |
| Oracle Linux version 9 (cjose) | ELSA-2023-4411 | 2023-08-02 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
