CVE-2022-21449

CVE-2022-21449 Vulnerability tester Introduction There's a new CVE-2022-21449 that had bug in ECDSA signature verification It's one of the algorithms used with JWT for example Citing the blog post If you have deployed Java 15, Java 16, Java 17, or Java 18 in production then you should stop what you are doing and immediately update to install the fixes in the April

Hey, I'm Jamie Tanna (he/him/his) I'm currently between jobs, and I'm currently based in Nottingham I have a /now page, which aims to be a more up-to-date about page I use my personal website as a method of blogging about my learnings, as well as sharing information about projects I have previously, or am currently, working on in my spare time I maintain a nu

SignChecker Test tool to demonstrate the vulnerability of CVE-2022-21449

Demo program to showcase CVE-2022-21449 Pls run with JDK 1700

Books Applied Cryptography (Bruce Schneier) Introduction to Modern Cryptography: Principles and Protocols (Jonathan Katz & Yehuda Lindell) Real-World Cryptography (David Wong) The Joy of Cryptography (Mike Rosulek) Courses Cryptography I | Stanford Online Cryptography II | Stanford Online Crypto Attacks and Vulnerabilities AES Cache-timing attacks on AES - Daniel J

Java JWT A Java implementation of JSON Web Token (JWT) - RFC 7519 Important security note: JVM has a critical vulnerability for ECDSA Algorithms - CVE-2022-21449 Please review the details of the vulnerability and update your environment If you're looking for an Android version of the JWT Decoder take a look at our JWTDecodeAndroid library This library require

Learn250 Join me on my journey of learning for 250 days! It'll be indeed a fun challenge and we'll learn various things together Not only that, it will help me keep myself organized, motivated and focused ;) Day Topic 1 HTTP Request Smuggling on businessapplecom and Others - Writeup 2 A strategy to land your first pentest job - BlogAndroid Pentesting Se

CVE-2022-21449-TLS-PoC CVE-2022-21449 Proof of Concept demonstrating its usage with a vulnerable client and a malicious TLS server Building Requires some existing golang installation as well as maven, then run /buildsh

Proof-of-Concept labs This repository contains information, labs, and proof of concept for known vulnerabilities Sample Vulnerable Application of the JWT Null Signature A sample web application vulnerable to CVE-2022-21449

CVE-2022-21449 repo showcasing "psychic signatures in java"

Documentation - Getting Started - API Reference Feedback Documentation Examples - code samples for common java-jwt scenarios Docs site - explore our docs site and learn more about Auth0 Getting Started Requirements This library is supported for Java LTS versions 8, 11, and 17 For issues on non-LTS versions above 8, consideration will be given on a case-by-case basis j

jfrog-CVE-2022-21449

Which Version of JDK Should I Use? To build and run Java applications, a Java Compiler, Java Runtime Libraries, and a Virtual Machine are required that implement the Java Platform, Standard Edition ("Java SE") specification The OpenJDK is the open source reference implementation of the Java SE Specification, but it is only the source code Binary distributions are p

java-webauthn-server Server-side Web Authentication library for Java Provides implementations of the Relying Party operations required for a server to support Web Authentication This includes registering authenticators and authenticating registered authenticators Warning Psychic signatures in Java In April 2022, CVE-2022-21449 was disclosed in Oracle’s O

CVE-2022-21449: Psychic Signatures in Java

yara-rules CVE CVE-2022-21449

CVE-2022-21449-TLS-PoC CVE-2022-21449 (also dubbed Psychic Signatures in the vulnerability writeup by Neil Madden) Proof of Concept demonstrating its usage with a vulnerable client and a malicious TLS server The malicious server presents a valid (as of 2022-04-20) cert chain for wwwgooglecom which has an ECDSA pub key (secp256r1) However, the crypto/ecdsa package has been m

PoC in GitHub 2022 CVE-2022-0185 (2022-02-11) A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a f

PoC in GitHub 2022 CVE-2022-0185 (2022-02-11) A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a f