GHSA-jgvc-jfgh-rjvv: 
Java vulnerability analysis and mitigation

RSA15 in jose4j (Maven package org.bitbucket.bc:jose4j) is susceptible to chosen ciphertext attacks that could allow decryption of RSA15 or RSAOAEP encrypted ciphertexts. The vulnerability was discovered on January 27, 2023, fixed on February 9, 2023, and publicly disclosed on April 27, 2023. This moderate severity vulnerability affects versions prior to 0.9.3 (GitHub Advisory).

The vulnerability stems from distinguishable behavior in jose4j's handling of RSA1_5 encrypted content. When processing ciphertexts with invalid PKCS #1 padding, the system generates a random AES key during decryption, leading to an authentication error. Additionally, when handling ciphertexts with valid PKCS #1 padding but incorrect encoded key size, it fails with a specific JoseException. The implementation also fails to properly validate algorithm consistency between the header and key specifications (GitHub Advisory).

The vulnerability enables attackers to perform chosen ciphertext attacks, potentially allowing them to decrypt both RSA15 and RSAOAEP encrypted ciphertexts. The attack is particularly concerning as it can bypass intended encryption protections by exploiting the system's distinguishable error behaviors (GitHub Advisory).

The vulnerability has been patched in jose4j version 0.9.3. Users should upgrade to this version or later to address the security issue. The fix was implemented through a commit that addresses the algorithm validation and padding oracle issues (Jose4j Commit).