Lucene search

GitHub Advisory DatabaseGHSA-9MG4-V392-8J68

HistoryMar 19, 2024 - 3:30 p.m.

erlang-jose vulnerable to denial of service via large p2c value

2024-03-1915:30:34

CWE-400

GitHub Advisory Database

github.com

erlang-jose

denial of service

cpu consumption

pbes2 count

jose header

vulnerability

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

Confidence

High

EPSS

Percentile

15.5%

JSON

erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value in a JOSE header.

Affected configurations

Vulners

Node

joseRange<1.11.7

VendorProductVersionCPE
*jose*cpe:2.3:a:*:jose:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	jose	*	cpe:2.3:a::jose::::::::*

References

github.com/advisories/GHSA-9mg4-v392-8j68

github.com/P3ngu1nW/CVE_Request/blob/main/erlang-jose.md

github.com/potatosalad/erlang-jose

github.com/potatosalad/erlang-jose/commit/718d213f07b08056737923f8063d5df56dcb66ae

hexdocs.pm/jose/JOSE.html

nvd.nist.gov/vuln/detail/CVE-2023-50966

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for GHSA-9MG4-V392-8J68