Back to bug 2223295
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Vipul Nair | 2023-07-17 11:01:58 UTC | Depends On | 2223307, 2223308 | |
| Vipul Nair | 2023-07-17 11:18:54 UTC | Blocks | 2223315 | |
| TEJ RATHI | 2023-07-17 11:46:52 UTC | Depends On | 2223330 | |
| Sandipan Roy | 2023-07-18 04:29:08 UTC | Priority | medium | high |
| Severity | medium | high | ||
| Sandipan Roy | 2023-07-18 04:29:40 UTC | Summary | TRIAGE-CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE | CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE |
| Sandipan Roy | 2023-07-18 04:31:26 UTC | Depends On | 2223491, 2223489, 2223490, 2223492, 2223488, 2223487, 2223493 | |
| Sandipan Roy | 2023-07-18 04:32:09 UTC | Summary | CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE | cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE |
| Alias | TRIAGE-CVE-2023-37464 | CVE-2023-37464 | ||
| Sandipan Roy | 2023-07-18 04:32:35 UTC | Summary | cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE | CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE |
| Sandipan Roy | 2023-07-18 04:35:35 UTC | Doc Text | A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. | |
| Paige Jung | 2023-07-18 18:23:51 UTC | Doc Text | A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. | A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. A fixed length of 16 octets must be applied. This issue may allow an attacker to provide a truncated Authentication Tag and modify the JWE accordingly. |
| RaTasha Tillery-Smith | 2023-07-18 18:25:24 UTC | Doc Text | A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. A fixed length of 16 octets must be applied. This issue may allow an attacker to provide a truncated Authentication Tag and modify the JWE accordingly. | A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw allows an attacker to provide a truncated Authentication Tag and modify the JWE. |
| TEJ RATHI | 2023-08-01 08:55:11 UTC | Summary | CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE | cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE |
| Alias | CVE-2023-37464 | |||
| TEJ RATHI | 2023-08-01 08:55:24 UTC | Summary | cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE | CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE |
| Alias | CVE-2023-37464 | |||
| errata-xmlrpc | 2023-08-01 13:33:29 UTC | Link ID | Red Hat Product Errata RHSA-2023:4408 | |
| errata-xmlrpc | 2023-08-01 13:42:04 UTC | Link ID | Red Hat Product Errata RHSA-2023:4410 | |
| errata-xmlrpc | 2023-08-01 13:42:13 UTC | Link ID | Red Hat Product Errata RHSA-2023:4409 | |
| errata-xmlrpc | 2023-08-01 13:49:59 UTC | Link ID | Red Hat Product Errata RHSA-2023:4411 | |
| errata-xmlrpc | 2023-08-01 14:14:51 UTC | Link ID | Red Hat Product Errata RHSA-2023:4417 | |
| errata-xmlrpc | 2023-08-01 14:21:00 UTC | Link ID | Red Hat Product Errata RHSA-2023:4418 | |
| errata-xmlrpc | 2023-08-02 07:56:39 UTC | Link ID | Red Hat Product Errata RHSA-2023:4429 |
Back to bug 2223295