Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GO-2023-2334
HistoryNov 21, 2023 - 3:39 p.m.

Denial of service via decryption of malicious PBES2 JWE objects in github.com/go-jose/go-jose/v3

2023-11-2115:39:17
Google
osv.dev
22
denial of service
decryption
pbes2
jwe
go-jose package

7 High

AI Score

Confidence

High

JSON

The go-jose package is subject to a β€œbillion hashes attack” causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

CPENameOperatorVersion
github.com/go-jose/go-jose/v3lt3.0.1

7 High

AI Score

Confidence

High

JSON