CVE-2023-49290 Malicious parameters can cause a denial of service in lestrrat-go/jwx

2023-12-0423:42:53

CWE-400

GitHub_M

www.cve.org

cve-2023-49290

lestrrat-go/jwx

jwx technologies

denial of service

algorithm pbes2

jwe

pbkdf2

jose header parameter

computational consumption

upgrade

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

17.0%

JSON

lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE’s algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a denial of service. This vulnerability has been addressed in commit 64f2a229b which has been included in release version 1.2.27 and 2.0.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "lestrrat-go",
    "product": "jwx",
    "versions": [
      {
        "version": "< 1.2.27",
        "status": "affected"
      },
      {
        "version": ">= 2.0.0, < 2.0.18",
        "status": "affected"
      }
    ]
  }
]