Lucene search

K

GoogleOSV:CVE-2024-28102

HistoryMar 21, 2024 - 2:52 a.m.

CVE-2024-28102

2024-03-2102:52:23

Google

osv.dev

14

cve-2024-28102

jwcrypto

python-cryptography

jwe token

denial of service

vulnerability

memory consumption

processing time

software

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

EPSS

0

Percentile

9.0%

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

References

github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f

github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

EPSS

0

Percentile

9.0%

Related for OSV:CVE-2024-28102

openvas1 redhat3 almalinux1 osv6 prion1 veracode1 debiancve1 oraclelinux2 nessus8 cve1 redos1 cgr1 wolfi1 vulnrichment1 ubuntucve1 cvelist1 rocky2 nvd1 redhatcve1 github1 ibm3