Advisories for Maven/Org.bitbucket.b_c/Jose4j package

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less.

RSA1_5 in jose4j is susceptible to chosen ciphertext attacks. The attack allows to decrypt RSA1_5 or RSA_OAEP encrypted ciphertexts. It may be feasible to sign with affected keys.