CVE-2024-28176 jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext

2024-03-0900:43:06

CWE-400

GitHub_M

www.cve.org

cve-2024-28176

javascript module

resource exhaustion

jwe

json web encryption

decompressing plaintext

cpu time

memory

patch

versions 2.0.7

4.15.5

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.1%

JSON

jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has
been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user’s environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.

CNA Affected

[
  {
    "vendor": "panva",
    "product": "jose",
    "versions": [
      {
        "version": ">= 3.0.0, <= 4.15.4",
        "status": "affected"
      },
      {
        "version": "< 2.0.7",
        "status": "affected"
      }
    ]
  }
]