Lucene search

[email protected]NVD:CVE-2022-38493

HistoryAug 20, 2022 - 8:15 p.m.

CVE-2022-38493

2022-08-2020:15:08

CWE-327

[email protected]

web.nvd.nist.gov

rhonabwy

rsa

encryption

vulnerability

denial of service

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn’t check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE (JSON Web Encryption) token.

Affected configurations

Nvd

Node

rhonabwy_projectrhonabwyRange0.9.99–1.1.6

VendorProductVersionCPE
rhonabwy_projectrhonabwy*cpe:2.3:a:rhonabwy_project:rhonabwy:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rhonabwy_project	rhonabwy	*	cpe:2.3:a:rhonabwy_project:rhonabwy::::::::

References

github.com/babelouest/rhonabwy/commit/dd528b3aabd13863f855a68e76966e4e019fc399

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

Related for NVD:CVE-2022-38493

ubuntucve1 prion1 debiancve1 cve1 cvelist1