21 matches found
RockyLinux 9 : python-jwcrypto (RLSA-2026:19197)
The remote RockyLinux 9 host has a package installed that is affected by a vulnerability as referenced in the RLSA-2026:19197 advisory. JWCrypto: python-cryptography: python: JWCrypto: Memory exhaustion via crafted compressed JWE tokens CVE-2026-39373 Tenable has extracted the preceding descripti...
Low: Red Hat Security Advisory: python-jwcrypto security update
An update for python-jwcrypto is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fro...
ALSA-2026:19197 Low: python-jwcrypto security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
RHEL 10 : python-jwcrypto (RHSA-2026:19042)
The remote Redhat Enterprise Linux 10 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:19042 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic...
RHEL 9 : python-jwcrypto (RHSA-2026:19197)
The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:19197 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic da...
ALSA-2026:19042 Low: python-jwcrypto security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
SUSE SLES16 Security Update : python-jwcrypto (SUSE-SU-2026:21425-1)
The remote SUSE Linux SLES16 / SLESSAP16 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:21425-1 advisory. - CVE-2026-39373: weak mitigation for JWT bomb attack in the deserialize function can lead to memory exhaustion via crafted compressed JWE...
Amazon Linux 2023 : python3-jwcrypto (ALAS2023-2026-1590)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1590 advisory. JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression...
Amazon Linux 2 : python-jwcrypto, --advisory ALAS2-2026-3254 (ALAS-2026-3254)
The version of python-jwcrypto installed on the remote host is prior to 0.4.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3254 advisory. JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker...
SUSE-SU-2026:21425-1 Security update for python-jwcrypto
This update for python-jwcrypto fixes the following issues: - CVE-2026-39373: weak mitigation for JWT bomb attack in the deserialize function can lead to memory exhaustion via crafted compressed JWE tokens bsc1261802...
Security update for python-jwcrypto (important)
openSUSE Security Update: Security update for python-jwcrypto Announcement ID: openSUSE-SU-2026:0130-1 Rating: important References: 1209496 1219837 1221230 1261802 Cross-References: CVE-2022-3102 CVE-2023-6681 CVE-2024-28102 CVE-2026-39373 CVSS scores: CVE-2022-3102 SUSE: 4.2...
Security update for python-jwcrypto (important)
openSUSE Security Update: Security update for python-jwcrypto Announcement ID: openSUSE-SU-2026:0129-1 Rating: important References: 1209496 1219837 1221230 1261802 Cross-References: CVE-2022-3102 CVE-2023-6681 CVE-2024-28102 CVE-2026-39373 CVSS scores: CVE-2022-3102 SUSE: 4.2...
Denial of Service (DoS)
Overview github.com/dvsekhvalnov/jose2go is a Pure Golang GO library for generating, decoding and encrypting JSON Web Tokens. Zero dependency, relies only on standard library. Affected versions of this package are vulnerable to Denial of Service DoS via the processing of crafted JSON Web Encrypti...
CVE-2025-62706
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...
Insufficient Session Expiration
@auth0/nextjs-auth0 is vulnerable to Insufficient Session Expiration. The vulnerability is due to missing expiration claim due to not invoking .setExpirationTime when generating JWE tokens, allowing tokens to remain valid beyond intended session duration...
nextjs-auth0 代码问题漏洞
nextjs-auth0 is an Auth0 open source Next.js SDK for logging in using Auth0. A code issue vulnerability exists in versions of nextjs-auth0 prior to 4.0.1 through 4.5.1, which stems from not setting an expiration time when generating JWE tokens...
Medium: containerd
Issue Overview: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. In versions on the 4.x branch prior to version 4.0.5, when parsing...
AZL-57153 CVE-2025-27144 affecting package containerd for versions less than 1.7.13-7
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE...
AZL-57171 CVE-2025-27144 affecting package moby-containerd for versions less than 1.6.26-10
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE...
Rocky Linux 9 : python-jwcrypto (RLSA-2024:2559)
The remote Rocky Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RLSA-2024:2559 advisory. - JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by...