jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext

A vulnerability has been identified in the JSON Web Encryption JWE decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a resul...

PT-2024-2063

Name of the Vulnerable Software and Affected Versions jose versions prior to 2.0.7 jose versions prior to 4.15.5 Description A vulnerability has been identified in the JSON Web Encryption JWE decryption interfaces, specifically related to the support for decompressing plaintext after its...

SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2024:0732-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0732-1 advisory. - A vulnerability in the privateDecrypt API of the crypto library, allowed a covert timing side-channel during PKCS1 v1.5 padding...

GHSA-6QVW-249J-H44C jose4j denial of service via specifically crafted JWE

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service CPU consumption via a large p2c aka PBES2 Count value...

UBUNTU-CVE-2023-51774

The json-jwt aka JSON::JWT gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode...

OESA-2024-1195 python-jwcrypto security update

Implements JWK, JWS, JWE specifications with python-cryptography Security Fixes: A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service DoS attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can resul...

OESA-2024-1197 python-jwcrypto security update

Implements JWK, JWS, JWE specifications with python-cryptography Security Fixes: A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service DoS attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can resul...

OESA-2024-1196 python-jwcrypto security update

Implements JWK, JWS, JWE specifications with python-cryptography Security Fixes: A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service DoS attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can resul...

Timing Side Channel Attack

NodeJS is vulnerable to Timing Side Channel Attack. The vulnerability is caused due to a defect in privateDecrypt API of the crypto library during PKCS1 v1.5 padding error handling where there is a significant timing differences in decryption for valid and invalid ciphertexts. An attackers can...

CVE-2023-46809

A flaw was found in Node.js. The privateDecrypt API of the crypto library may allow a covert timing side-channel during PKCS1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decry...

Denial Of Service (DoS)

Microsoft.IdentityModel.JsonWebTokens and System.IdentityModel.Tokens.Jwt are vulnerable to Denial Of Service DoS. The vulnerability is cause by improper JWT compression checks, which results in resource exhaustion due processing of malicious JSON Web EncryptionJWE token. Successful exploitation...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling by processing JSON Web Encryption JWE tokens with a high compression ratio. An attacker can cause excessive memory allocation and processing time during decompression, leading to a...

GHSA-8G9C-28FC-MCX2 Duplicate Advisory: Microsoft Identity Denial of service vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-59j7-ghrg-fj52. This link is maintained to preserve external references. Original Description Impact An attacker could exploit this vulnerability by crafting a malicious JSON Web Encryption JWE token with a high...

PT-2024-1246 · Microsoft +6 · Identity +6

Name of the Vulnerable Software and Affected Versions: Microsoft Identity versions prior to 5.7.0 Microsoft Identity versions prior to 6.34.0 Microsoft Identity versions prior to 7.1.2 Description: The issue is related to incorrect clearing or release of resources in the Microsoft Identity librar...

Node.js: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding)

A timing side-channel vulnerability in the crypto library's privateDecrypt API allowed attackers to remotely exploit and decrypt or forge signatures when processing encrypted messages...

USN-6307-1 cjose vulnerability

It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. An attacker could use this to cause a denial of service system crash or might expose sensitive information...

cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE

A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption JWE. A fixed length of 16 octets must ...

cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE

A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption JWE. A fixed length of 16 octets must ...

cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE

A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption JWE. A fixed length of 16 octets must ...

cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE

A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption JWE. A fixed length of 16 octets must ...