ADVISORIES
GEM
SEVERITY
CVSS v3.x: 9.1 (Critical)
PATCHED VERSIONS
- >= 3.0.0.beta1
DESCRIPTION
ruby-jwt < v3.0.0.beta1 was discovered to contain weak encryption.
NOTE: the Supplier's perspective is "keysize is not something that is enforced by this library. Currently more recent versions of OpenSSL are enforcing some key sizes and those restrictions apply to the users of this gem also."
BACKGROUND
We found that the HMAC and RSA key lengths used in your JSON Web Signature (JWS) implementation do not meet recommended security standards (RFC 75180NIST SP800-1170RFC 2437).
According to CWE-326 (Inadequate Encryption Strength), using keys that are too short can lead to serious vulnerabilities and potential attacks.