[NAME OF AFFECTED PRODUCT(S)]: Jose4j
[AFFECTED AND/OR FIXED VERSION(S)]: before version 0.9.3
[PROBLEM TYPE]:
Vulnerability Type: Weak Cryptographic Hash: Insecure PBE Iteration Count
Root Cause: CWE-331: Insufficient Entropy
[DESCRIPTION]: jose4j is a JWT (JSON Web Token) library used for generating and verifying JWTs. The jose4j library supports the use of the PBE (Password-Based Encryption) algorithm to protect JWT tokens. Within the jose4j library, it allows for setting a too small iteration count when using the PBE algorithm.
The iteration count is traditionally used to increase the cost of key derivation from a password. If the iteration count is set too low, it can increase the feasibility of attacks because attackers may compute a "rainbow table" for the application and more easily determine hashed password values.
It's essential to set an appropriate and secure iteration count to ensure the security of PBE-based JWT protection and protect against potential attacks.
[Reference]: b_c / jose4j / issues / #203 - Insecure support of setting PBE less then 1000 iteration count — Bitbucket