JJWT 0.12.5 Ignores Characters in SigningKey Allowing Weak Key Misinterpretation
CVE-2024-31033 Published on April 1, 2024
JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.
Vulnerability Analysis
CVE-2024-31033 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2024-31033. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.