CVE-2024-28102

2024-03-2102:52:23

Debian Security Bug Tracker

security-tracker.debian.org

cve-2024-28102

jwcrypto

jwk

jws

jwe

python-cryptography

denial of service

attack

fix

version 1.5.6

vulnerability

memory

processing time

high compression ratio

token length

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

OSVersionArchitecturePackageVersionFilename
Debian12allpython-jwcrypto<= 1.1.0-1python-jwcrypto_1.1.0-1_all.deb
Debian11allpython-jwcrypto<= 0.8.0-1python-jwcrypto_0.8.0-1_all.deb
Debian999allpython-jwcrypto< 1.5.6-1python-jwcrypto_1.5.6-1_all.deb
Debian13allpython-jwcrypto< 1.5.6-1python-jwcrypto_1.5.6-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	python-jwcrypto	<= 1.1.0-1	python-jwcrypto_1.1.0-1_all.deb
Debian	11	all	python-jwcrypto	<= 0.8.0-1	python-jwcrypto_0.8.0-1_all.deb
Debian	999	all	python-jwcrypto	< 1.5.6-1	python-jwcrypto_1.5.6-1_all.deb
Debian	13	all	python-jwcrypto	< 1.5.6-1	python-jwcrypto_1.5.6-1_all.deb