344 matches found
UBUNTU-CVE-2023-51774
The json-jwt aka JSON::JWT gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode...
OESA-2024-1197 python-jwcrypto security update
Implements JWK, JWS, JWE specifications with python-cryptography Security Fixes: A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service DoS attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can resul...
OESA-2024-1196 python-jwcrypto security update
Implements JWK, JWS, JWE specifications with python-cryptography Security Fixes: A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service DoS attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can resul...
OESA-2024-1195 python-jwcrypto security update
Implements JWK, JWS, JWE specifications with python-cryptography Security Fixes: A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service DoS attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can resul...
Timing Side Channel Attack
NodeJS is vulnerable to Timing Side Channel Attack. The vulnerability is caused due to a defect in privateDecrypt API of the crypto library during PKCS1 v1.5 padding error handling where there is a significant timing differences in decryption for valid and invalid ciphertexts. An attackers can...
CVE-2023-46809
A flaw was found in Node.js. The privateDecrypt API of the crypto library may allow a covert timing side-channel during PKCS1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decry...
Denial Of Service (DoS)
Microsoft.IdentityModel.JsonWebTokens and System.IdentityModel.Tokens.Jwt are vulnerable to Denial Of Service DoS. The vulnerability is cause by improper JWT compression checks, which results in resource exhaustion due processing of malicious JSON Web EncryptionJWE token. Successful exploitation...
GHSA-8G9C-28FC-MCX2 Duplicate Advisory: Microsoft Identity Denial of service vulnerability
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-59j7-ghrg-fj52. This link is maintained to preserve external references. Original Description Impact An attacker could exploit this vulnerability by crafting a malicious JSON Web Encryption JWE token with a high...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling by processing JSON Web Encryption JWE tokens with a high compression ratio. An attacker can cause excessive memory allocation and processing time during decompression, leading to a...
PT-2024-1246 · Microsoft +6 · Identity +6
Name of the Vulnerable Software and Affected Versions: Microsoft Identity versions prior to 5.7.0 Microsoft Identity versions prior to 6.34.0 Microsoft Identity versions prior to 7.1.2 Description: The issue is related to incorrect clearing or release of resources in the Microsoft Identity librar...
Node.js: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding)
A timing side-channel vulnerability in the crypto library's privateDecrypt API allowed attackers to remotely exploit and decrypt or forge signatures when processing encrypted messages...
USN-6307-1 cjose vulnerability
It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. An attacker could use this to cause a denial of service system crash or might expose sensitive information...
cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE
A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption JWE. A fixed length of 16 octets must ...
cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE
A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption JWE. A fixed length of 16 octets must ...
cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE
A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption JWE. A fixed length of 16 octets must ...
cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE
A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption JWE. A fixed length of 16 octets must ...
AZL-36936 CVE-2023-37464 affecting package cjose for versions less than 0.6.2.2-7
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug...
cjose 加密问题漏洞
Cisco cjose is a C library from Cisco that implements Javascript Object Signing and Encryption JOSE. A cryptographic issue vulnerability exists in cjose that stems from the AES GCM decryption routines incorrectly using the length of the tag in the actual authentication tag provided in JWE...
PT-2023-25978 · Unknown +7 · Openidc/Cjose +7
Name of the Vulnerable Software and Affected Versions: OpenIDC/cjose versions prior to 0.6.2.2 Description: The AES GCM decryption routine in OpenIDC/cjose incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE, instead of the fixed length of 16 octets specified in...
github.com/lestrrat-go/jwx vulnerable to Potential Padding Oracle Attack
Summary Decrypting AES-CBC encrypted JWE has Potential Padding Oracle Attack Vulnerability. Details On v2.0.10, decrypting AES-CBC encrypted JWE may return an error "failed to generate plaintext from decrypted blocks: invalid padding":...