CVE-2023-4759
Weak Cryptography vulnerability in org.eclipse.jgit (Maven)
What is CVE-2023-4759 About?
The Crypto-js PBKDF2 implementation is significantly weaker than current standards due to defaulting to SHA1 and only one iteration. This drastically reduces the security of derived keys, making it much easier for attackers to brute-force hashes. The vulnerability impacts any application using this library for password protection or signature generation, potentially leading to immediate compromise.
Affected Software
- org.eclipse.jgit:org.eclipse.jgit
- >6.0.0.202111291000-r, <6.6.1.202309021850-r
- <5.13.3.202401111512-r
Technical Details
The Crypto-js PBKDF2 implementation suffers from two critical weaknesses. First, it defaults to SHA1, an outdated and cryptographically broken hash algorithm. Second, and more importantly, it defaults to a single iteration of the PBKDF2 function. PBKDF2 relies heavily on a high iteration count to slow down brute-force attacks by increasing the computational cost of hash generation. A single iteration provides almost no computational overhead, effectively negating the purpose of PBKDF2 as a key-derivation function designed for password stretching. This combination makes the derived keys extremely vulnerable to offline brute-force attacks, similar to using plain SHA1 hashes without salt or iteration. While HMAC-SHA1 is used, protecting against length extension attacks, the lack of iterations still leaves it susceptible to brute-forcing.
What is the Impact of CVE-2023-4759?
Successful exploitation may allow attackers to easily crack password hashes, compromise user accounts, forge digital signatures, or decrypt sensitive data protected by keys derived using this weak implementation, leading to severe data breach and unauthorized access.
What is the Exploitability of CVE-2023-4759?
Exploitation complexity is considered low once an attacker obtains the weakly-derived hashes (e.g., password hashes, signature keys). No authentication or special privileges are required for the exploitation process itself, beyond obtaining the target hashes. This is an offline attack; the attacker does not need direct access to the vulnerable system. Prerequisites include obtaining the hashes generated by the vulnerable Crypto-js library. The primary method of exploitation is offline brute-forcing, which is made significantly easier and faster due to the single iteration count and the use of SHA1. Risk factors that increase the likelihood of exploitation include any scenario where these hashes are stored or transmitted and subsequently exposed to an attacker.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-4759?
Available Upgrade Options
- org.eclipse.jgit:org.eclipse.jgit
- <5.13.3.202401111512-r → Upgrade to 5.13.3.202401111512-r
- org.eclipse.jgit:org.eclipse.jgit
- >6.0.0.202111291000-r, <6.6.1.202309021850-r → Upgrade to 6.6.1.202309021850-r
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://git.eclipse.org/c/jgit/jgit.git
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11
- https://github.com/eclipse-jgit/jgit/issues/30
- https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1
- https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1
- https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1
- https://nvd.nist.gov/vuln/detail/CVE-2023-4759
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11
- https://osv.dev/vulnerability/GHSA-3p86-9955-h393
- https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1
What are Similar Vulnerabilities to CVE-2023-4759?
Similar Vulnerabilities: CVE-2022-24756 , CVE-2020-10660 , CVE-2019-17482 , CVE-2018-12497 , CVE-2017-9097
