CVE-2023-37464

OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec  says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
ciscocjose
𝑥
< 0.6.2.2
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
ciscocjose
𝑥
< 0.6.2.2
ADP
Debian logo
Debian Releases
Debian Product
Codename
cjose
bookworm
0.6.2.1-1+deb12u1
fixed
bookworm (security)
0.6.2.1-1+deb12u1
fixed
bullseye
0.6.1+dfsg1-1+deb11u1
fixed
bullseye (security)
0.6.1+dfsg1-1+deb11u1
fixed
sid
0.6.2.3-1
fixed
trixie
0.6.2.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cjose
bionic
Fixed 0.6.0+dfsg1-1ubuntu0.1~esm1
released
focal
Fixed 0.6.1+dfsg1-1ubuntu0.1
released
jammy
Fixed 0.6.1+dfsg1-3ubuntu1.1
released
kinetic
ignored
lunar
Fixed 0.6.2.1-1ubuntu0.1
released
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
ignored
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libcjose-devel
suse enterprise sap 15 SP1
0.6.1-150100.4.6.1
fixed
suse enterprise sap 15 SP2
0.6.1-150100.4.6.1
fixed
suse enterprise sap 15 SP3
0.6.1-150100.4.6.1
fixed
suse enterprise sap 15 SP4
0.6.1-150100.4.6.1
fixed
suse enterprise sap 15 SP5
0.6.1-150100.4.6.1
fixed
suse enterprise sap 15 SP7
0.6.1-150600.16.2
fixed
suse enterprise server 15 SP1
0.6.1-150100.4.6.1
fixed
suse enterprise server 15 SP2
0.6.1-150100.4.6.1
fixed
suse enterprise server 15 SP3
0.6.1-150100.4.6.1
fixed
suse enterprise server 15 SP4
0.6.1-150100.4.6.1
fixed
suse enterprise server 15 SP5
0.6.1-150100.4.6.1
fixed
suse enterprise server 15 SP7
0.6.1-150600.16.2
fixed
libcjose0
suse enterprise sap 15 SP1
0.6.1-150100.4.6.1
fixed
suse enterprise sap 15 SP2
0.6.1-150100.4.6.1
fixed
suse enterprise sap 15 SP3
0.6.1-150100.4.6.1
fixed
suse enterprise sap 15 SP4
0.6.1-150100.4.6.1
fixed
suse enterprise sap 15 SP5
0.6.1-150100.4.6.1
fixed
suse enterprise sap 15 SP7
0.6.1-150600.16.2
fixed
suse enterprise server 15 SP1
0.6.1-150100.4.6.1
fixed
suse enterprise server 15 SP2
0.6.1-150100.4.6.1
fixed
suse enterprise server 15 SP3
0.6.1-150100.4.6.1
fixed
suse enterprise server 15 SP4
0.6.1-150100.4.6.1
fixed
suse enterprise server 15 SP5
0.6.1-150100.4.6.1
fixed
suse enterprise server 15 SP7
0.6.1-150600.16.2
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
cjose
RHEL 9
0:0.6.1-13.el9_2
fixed
Common Weakness Enumeration
References
https://datatracker.ietf.org/doc/html/rfc7518#section-4.7
https://github.com/OpenIDC/cjose/commit/7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e
https://github.com/OpenIDC/cjose/releases/tag/v0.6.2.2
https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj
https://lists.debian.org/debian-lts-announce/2023/08/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCQJXKDPCWCXB2V4JMQ3UWYJ4UIBPUW6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTZHOVGY7AHGNMEY245HK4Q36AMA53AL/
https://www.debian.org/security/2023/dsa-5472
https://datatracker.ietf.org/doc/html/rfc7518#section-4.7
https://github.com/OpenIDC/cjose/commit/7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e
https://github.com/OpenIDC/cjose/releases/tag/v0.6.2.2
https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj
https://lists.debian.org/debian-lts-announce/2023/08/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFWAPMYYVBO2U65HPYDTBEKNSXG4TP5C/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCQJXKDPCWCXB2V4JMQ3UWYJ4UIBPUW6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTZHOVGY7AHGNMEY245HK4Q36AMA53AL/
https://www.debian.org/security/2023/dsa-5472