CVE-2024-31033

Name of the Vulnerable Software and Affected Versions JJWT (aka Java JWT) through 0.12.5

Description The issue concerns JJWT ignoring certain characters, potentially leading a user to falsely conclude they have a strong key. The impacted code includes the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. However, the vendor disputes this issue, stating it cannot occur without user error and that the tested version must have been outdated.

Recommendations For JJWT through 0.12.5, consider reviewing the usage of the setSigningKey() and signWith() methods to ensure correct implementation and key strength assessment. At the moment, there is no information about a newer version that contains a fix for this vulnerability.