CVE-2023-31582

NameCVE-2023-31582
Descriptionjose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1054872

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libjose4j-java (PTS)sid, trixie0.7.12-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libjose4j-javasource(unstable)0.7.12-21054872

Notes

https://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then
Fixed by: https://bitbucket.org/b_c/jose4j/commits/1929fe3 (jose4j/0.9.3)
Search for package or bug name: Reporting problems