342 matches found
CVE-2022-38493
Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE JSON Web Encryption token...
UBUNTU-CVE-2022-38493
Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE JSON Web Encryption token...
CVE-2022-38493
CVE-2022-38493 affects Rhonabwy 0.9.99 through 1.1.x prior to 1.1.7, where the RSA private key length is not validated before RSA-OAEP decryption. The underlying issue allows an attacker to cause a Denial of Service via a crafted JWE (JSON Web Encryption) token. Multiple connected sources (Red Ha...
PT-2022-24426 · Rhonabwy · Rhonabwy
Name of the Vulnerable Software and Affected Versions: Rhonabwy versions 0.9.99 through 1.1.x before 1.1.7 Description: The issue allows attackers to cause a Denial of Service via a crafted JWE JSON Web Encryption token, as the software does not check the RSA private key length before RSA-OAEP...
Fedora: Security Advisory for golang-gopkg-square-jose-2 (FEDORA-2022-37aef44d1e)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] Fedora 36 Update: golang-gopkg-square-jose-2-2.6.0-4.fc36
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. This includes support for JSON Web Encryption, JSON Web Signature, and JSON Web Token standards...
Fedora: Security Advisory for golang-gopkg-square-jose-2 (FEDORA-2022-3969b64d4b)
The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
[SECURITY] Fedora 36 Update: golang-gopkg-square-jose-2-2.6.0-3.fc36
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. This includes support for JSON Web Encryption, JSON Web Signature, and JSON Web Token standards...
Securing Port 443: The Gateway To A New Universe
At Wordfence our business is to secure over 4 million WordPress websites and keep them secure. My background is in network operations, and then I transitioned into software development because my ops role was at a scale where I found myself writing a lot of code. This led me to founding startups,...
jose-browser-runtime 安全漏洞
npm jose-browser-runtime is an application from the US company npm. Generic " JSON Web almost everything " - JWA, JWS, JWE, JWT, JWK using native encryption runtime without dependencies. A security vulnerability exists in jose-browser-runtime, which stems from the possibility of a noticeable time...
Let's Encrypt Issued A Billion Free SSL Certificates in the Last 4 Years
Let's Encrypt, a free, automated, and open certificate signing authority CA from the nonprofit Internet Security Research Group ISRG, has said it's issued a billion certificates since its launch in 2015. The CA issued its first certificate in September 2015, before eventually reaching 100 million...
JSON Libraries Patched Against Invalid Curve Crypto Attack
A number of JSON libraries using the JSON Web Encryption specification JWE to create, sign and encrypt access tokens have been patched against an attack that allows for the recovery of a private key. Researcher Antonio Sanso of Adobe said the go-jose, node-jose, jose2go, Nimbus JOSE+WT and jose4...
Internet Bug Bounty: Critical vulnerability in JSON Web Encryption (JWE) - RFC 7516 Invalid Curve attack
We found an issue in the JWE specification where it fails to warn the implementers about Invalid Curve attack. We found several libraries to be vulnerable : node-jose, jose2go, Nimbus JOSE+JWT and jose4j and in the process of filing an errata for the RFC. We report the vulnerabilities to the...
Critical vulnerability in JSON Web Encryption (JWE) - RFC 7516
tl;dr if you are using go-jose, node-jose, jose2go, Nimbus JOSE+JWT or jose4j with ECDH-ES please update to the latest version. RFC 7516 aka JSON Web Encryption JWE hence many software libraries implementing this specification used to suffer from a classic Invalid Curve Attack. This would allow a...
Google Adds New Layer of Security to Domain: Adds HSTS
Google is adding HTTP Strict Transport Security or HSTS to the Google.com domain, an extra layer of protection that prevents visitors from using a less secure HTTP connection. By using HSTS, visitors following HTTP links to Google.com will be automatically redirected to the more secure HTTPS...
Web Encryption Protocol That Even Quantum Computers Can't Crack
Sometimes, instead of black and white we tend to look out, how a grey would look? Yes, today we are going to discuss the ‘entangling’ or ‘superpositioning’ which is a power packed functionality of quantum computers. And simultaneously, how can they pose a threat when fully launched in the world...
Web Encryption Extension security update
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Revision: 1.0 Last Updated: 25 July 2014 First Published: 25 July 2014 Summary: A security issue was found in the Web Encryption Extension. Authenticated users are able to modify the content of https request fields to insert code into the pipeline...
POODLE SSL 3.0 Attack Exploits Widely-used Web Encryption Standard
Another Heartbleed-like vulnerability has been discovered in the decade old but still widely used Secure Sockets Layer SSL 3.0 cryptographic protocol that could allow an attacker to decrypt contents of encrypted connections to websites. Google's Security Team revealed on Tuesday that the most...
ToorCon: New Apps, Old Infrastructure Make Toxic Brew
In a variety of ways, experts at this weekend’s ToorCon Conference warned that the tidal wave of new devices and Web based services is straining an already aging Internet infrastructure, with privacy and security as the first victims. Call it the ‘schizophrenia of now’: a tidal wave of new...
Zero-Day Flaw Found in Web Encryption
A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public. The flaw allows an outsider to hijack a legitimate user’s browser session and successfully impersonate the user, the researchers said in a technical paper. Read the full story...