306 matches found
Fedora: Security Advisory for golang-gopkg-square-jose-2 (FEDORA-2022-3969b64d4b)
The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
[SECURITY] Fedora 36 Update: golang-gopkg-square-jose-2-2.6.0-3.fc36
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. This includes support for JSON Web Encryption, JSON Web Signature, and JSON Web Token standards...
jose-browser-runtime 安全漏洞
npm jose-browser-runtime is an application from the US company npm. Generic " JSON Web almost everything " - JWA, JWS, JWE, JWT, JWK using native encryption runtime without dependencies. A security vulnerability exists in jose-browser-runtime, which stems from the possibility of a noticeable time...
JSON Libraries Patched Against Invalid Curve Crypto Attack
A number of JSON libraries using the JSON Web Encryption specification JWE to create, sign and encrypt access tokens have been patched against an attack that allows for the recovery of a private key. Researcher Antonio Sanso of Adobe said the go-jose, node-jose, jose2go, Nimbus JOSE+WT and jose4...
Internet Bug Bounty: Critical vulnerability in JSON Web Encryption (JWE) - RFC 7516 Invalid Curve attack
We found an issue in the JWE specification where it fails to warn the implementers about Invalid Curve attack. We found several libraries to be vulnerable : node-jose, jose2go, Nimbus JOSE+JWT and jose4j and in the process of filing an errata for the RFC. We report the vulnerabilities to the...
Critical vulnerability in JSON Web Encryption (JWE) - RFC 7516
tl;dr if you are using go-jose, node-jose, jose2go, Nimbus JOSE+JWT or jose4j with ECDH-ES please update to the latest version. RFC 7516 aka JSON Web Encryption JWE hence many software libraries implementing this specification used to suffer from a classic Invalid Curve Attack. This would allow a...