python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a “JWT bomb.” This is similar to CVE-2024-21319.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | python-jose | <= 3.3.0+dfsg-4 | python-jose_3.3.0+dfsg-4_all.deb |
Debian | 999 | all | python-jose | <= 3.3.0+dfsg-5 | python-jose_3.3.0+dfsg-5_all.deb |
Debian | 13 | all | python-jose | <= 3.3.0+dfsg-5 | python-jose_3.3.0+dfsg-5_all.deb |