b_c / jose4j / issues / #16 - is jose4j protected against this vulnerability? — Bitbucket

Issue #16 resolved

Former user created an issue 2015-04-12

https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

Comments (4)

Brian Campbell repo owner
Short answer is yes, jose4j has protections against those vulnerabilities.

More detailed info can be found at https://bitbucket.org/b_c/jose4j/wiki/04-01-15-Transparency
- 2015-04-12T02:44:56+00:00
Brian Campbell repo owner
- marked as task
- 2015-04-12T02:45:15+00:00
Brian Campbell repo owner
Unless you are using Bouncy Castle as a Java security provider, in which case the public key as an HMAC secret key attack may be possible. Version 0.4.4 fixes that - https://bitbucket.org/b_c/jose4j/wiki/Release%20Notes. And I've added some info about it at https://bitbucket.org/b_c/jose4j/wiki/04-01-15-Transparency
- 2015-07-30T21:23:30+00:00
Brian Campbell repo owner
- changed status to resolved
ce54d81 addressed the one problem when used w/ BC
- 2015-09-21T17:09:38+00:00
Log in to comment

Assignee: –

Type: task

Priority: major

Status: resolved

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!