CVE-2024-28102 JWCrypto vulnerable to JWT bomb Attack in `deserialize` function

2024-03-0621:09:58

CWE-770

GitHub_M

www.cve.org

jwcrypto

jwt bomb attack

python-cryptography

denial of service

jwe token

memory consumption

processing time

vulnerability fix

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

EPSS

Percentile

9.0%

JSON

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

CNA Affected

[
  {
    "vendor": "latchset",
    "product": "jwcrypto",
    "versions": [
      {
        "version": "< 1.5.6",
        "status": "affected"
      }
    ]
  }
]