28 matches found
jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption JWE token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This...
Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS
Scrapy are vulnerable to a denial of service DoS attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occur...
CVE-2024-29371
In jose4j before 0.9.6, an attacker can cause a Denial-of-Service DoS condition by crafting a malicious JSON Web Encryption JWE token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during...
UBUNTU-CVE-2024-29371
In jose4j before 0.9.6, an attacker can cause a Denial-of-Service DoS condition by crafting a malicious JSON Web Encryption JWE token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during...
Linux Distros Unpatched Vulnerability : CVE-2024-28102
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by...
[SECURITY] Fedora 41 Update: xz-5.8.1-2.fc41
XZ Utils are an attempt to make LZMA compression easy to use on free as in freedom operating systems. This is achieved by providing tools and libraries which are similar to use than the equivalents of the most popular existing compression algorithms. LZMA is a general purpose compression algorith...
[SECURITY] Fedora 40 Update: xz-5.8.1-2.fc40
XZ Utils are an attempt to make LZMA compression easy to use on free as in freedom operating systems. This is achieved by providing tools and libraries which are similar to use than the equivalents of the most popular existing compression algorithms. LZMA is a general purpose compression algorith...
[SECURITY] Fedora 40 Update: p7zip-16.02-31.fc40
p7zip is a port of 7za.exe for Unix. 7-Zip is a file archiver with a very high compression ratio. The original version can be found at http://www.7-zip.org/...
Amazon Linux 2023 : python3, python3-devel, python3-idle (ALAS2023-2024-605)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-605 advisory. An issue was found in the CPython zipfile module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to quoted-overlap zip-bombs which exploit the...
CVE-2024-33664
python-jose through 3.3.0 allows attackers to cause a denial of service resource consumption during a decode via a crafted JSON Web Encryption JWE token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319...
PYSEC-2024-233
python-jose through 3.3.0 allows attackers to cause a denial of service resource consumption during a decode via a crafted JSON Web Encryption JWE token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319...
Medium: python3
Issue Overview: An issue was found in the CPython zipfile module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed...
Amazon Linux 2023 : python3.11, python3.11-devel, python3.11-idle (ALAS2023-2024-588)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-588 advisory. An issue was found in the CPython zipfile module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to quoted-overlap zip-bombs which exploit the...
Updated python3, python packages fix security vulnerabilities
The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. CVE-2023-6597 The zipfile module is...
CVE-2024-28102
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and...
CVE-2024-0450
An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython...
CVE-2024-0450 Quoted zip-bomb protection for zipfile
An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython...
CVE-2024-0450
An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython...
CVE-2024-28122 JWX vulnerable to a denial of service attack using compressed JWE message
JWX is Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service DoS condition by crafting a malicious JSON Web Encryption JWE token with an exceptionally high...
CVE-2024-28102
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and...