GMS-2023-1246: Chosen Ciphertext Attack in Jose4j
RSA1_5 in jose4j is susceptible to chosen ciphertext attacks. The attack allows to decrypt RSA1_5 or RSA_OAEP encrypted ciphertexts. It may be feasible to sign with affected keys.
References
- bitbucket.org/b_c/jose4j/commits/14e62a8dee9decb4ff6e0625aedc5724601bfdb6
- bitbucket.org/b_c/jose4j/commits/63b86581e7bfcc2d9d04ee15caea4b5bfb911f59
- bitbucket.org/b_c/jose4j/commits/tag/jose4j-0.9.3
- github.com/advisories/GHSA-jgvc-jfgh-rjvv
- github.com/google/security-research/security/advisories/GHSA-jgvc-jfgh-rjvv
Detect and mitigate GMS-2023-1246 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →