IBM6F01E395A9CE5B40746C148183FE38F540C12EF4140A0F372AA1FC022B32EE4FSecurity Bulletin: IBM Event Streams is vulnerable to a denial of service attack due to the jose4j component ( CVE-2023-51775).
Summary
IBM Event Streams is vulnerable to a a denial of service attack due to the jose4j component. The jose4j library is used in event streams for secure handling of JSON Web Tokens (JWTs), enabling encryption, decryption, and validation of tokens to ensure secure authentication and data integrity in event-driven applications.
Vulnerability Details
CVEID:CVE-2023-51775
**DESCRIPTION:**jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275907 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Event Streams | 11.3.0-11.3.2 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading
Upgrade to IBM Event Streams 11.4.0 by following the upgrading and migrating documentation.
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm event streams | ge | 11.3.0 | |
| ibm event streams | le | 11.3.2 |
Related
6.8 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%