Lucene search
K

16 matches found

RustSec
RustSec
added 2026/06/12 12:0 p.m.14 views

Unbounded SCRAM iteration count allows a malicious server to cause CPU-exhaustion denial of service

A malicious, compromised, or man-in-the-middle server can supply an arbitrarily large SCRAM-SHA-256 PBKDF2 iteration count during authentication. The client runs it inline with no upper bound, pinning a tokio worker thread for minutes per connection, possibly stalling the whole async runtime...

5.4AI score
Exploits0Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 8:9 p.m.12 views

pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

Summary pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. Impact A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time...

7.5CVSS5.8AI score0.0077EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/05 8:9 p.m.5 views

GHSA-98QH-XJC8-98PQ pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

Summary pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. Impact A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time...

7.5CVSS5.8AI score0.0077EPSS
Exploits0References4
NVD
NVD
added 2026/04/29 4:16 p.m.6 views

CVE-2026-42198

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count...

7.5CVSS0.0077EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/04/29 3:58 p.m.36 views

CVE-2026-42198 pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count...

7.5CVSS0.0077EPSS
Exploits0References2
CVE
CVE
added 2026/04/29 3:58 p.m.130 views

CVE-2026-42198

CVE-2026-42198 affects the pgjdbc PostgreSQL JDBC driver in versions 42.2.0 through before 42.7.11. The vulnerability is a client-side denial of service during SCRAM-SHA-256 authentication: a malicious server can force SCRAM with an extremely high iteration count, causing the client to spend unbo...

7.5CVSS5.3AI score0.0077EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2026/04/29 3:58 p.m.2 views

CVE-2026-42198 pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count...

7.5CVSS6.9AI score0.0077EPSS
Exploits0References11
UbuntuCve
UbuntuCve
added 2026/03/03 11:15 p.m.7 views

CVE-2026-27932

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service DoS via CPU exhaustion. When the library...

7.5CVSS5.9AI score0.00432EPSS
Exploits2References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2023-3143

Malicious code in bioql PyPI...

5.3CVSS5.8AI score0.00723EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2025/06/29 12:0 a.m.13 views

PT-2026-36987

Name of the Vulnerable Software and Affected Versions net-imap affected versions not specified Description A hostile IMAP server can trigger a computational denial-of-service attack on the client process during authentication using SCRAM-SHA1 or SCRAM-SHA256. By sending an arbitrarily large PBKDF...

9.8CVSS6AI score0.00429EPSS
Exploits0References43
Github Security Blog
Github Security Blog
added 2025/06/18 5:51 p.m.8 views

Taylored webhook validation vulnerabilities

Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5 Summary A series of moderate to high-severity security vulnerabilities have been identified specifically in version 7.0.7 of \taylored. These vulnerabilities reside in the "Backend-in-a-Box" template distributed with this...

7.5AI score
Exploits0References3Affected Software1
RedHat Linux
RedHat Linux
added 2024/10/14 6:7 p.m.6 views

jose4j: denial of service via specially crafted JWE

A flaw was found in the jose.4.j jose4j library. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c PBES2 Count. This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down...

6.5CVSS7.1AI score0.00879EPSS
Exploits1References4
RedHat Linux
RedHat Linux
added 2024/10/14 6:1 p.m.5 views

jose4j: denial of service via specially crafted JWE

A flaw was found in the jose.4.j jose4j library. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c PBES2 Count. This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down...

6.5CVSS7.1AI score0.00879EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2023/12/04 11:42 p.m.5 views

CVE-2023-49290 Malicious parameters can cause a denial of service in lestrrat-go/jwx

lestrrat-go/jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. A p2c parameter set too high in JWE's algorithm PBES2- could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c...

5.3CVSS7.2AI score0.00723EPSS
Exploits1References2
OSV
OSV
added 2022/09/07 10:15 p.m.3 views

UBUNTU-CVE-2022-36083

JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named p2c PBES2 Count, which determine...

5.3CVSS6.8AI score0.01112EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2022/09/07 12:0 a.m.6 views

PT-2022-23172

Name of the Vulnerable Software and Affected Versions JOSE versions prior to v1.28.2 JOSE versions prior to v2.0.6 JOSE versions prior to v3.20.4 JOSE versions prior to v4.9.2 Description The PBKDF2-based JWE key management algorithms in JOSE expect a JOSE Header Parameter named p2c PBES2 Count,...

5.3CVSS6.6AI score0.01112EPSS
Exploits1References16
Rows per page
Query Builder