4 matches found
CVE-2024-28102
Summary: CVE-2024-28102 affects the Python JWCrypto/JWCrypto implementation. Before 1.5.6, processing a malicious JWE token with a high compression ratio can cause a DoS by consuming excessive memory and CPU time; the vulnerability stems from the token deserialization path. Affected component: py...
CVE-2023-6681
CVE-2023-6681 affects JWCrypto in python-jwcrypto. Root cause: unbounded PBES2 Count value in PBKDF2 enables a DoS when processing crafted JWE tokens; high resource consumption is possible. Documented impact: denial of service (and potential password brute‑force/dictionary pressure). Remediation/...
CVE-2016-6298
The CVE-2016-6298 issue affects the jwcrypto Python package, specifically the RSA 1.5 implementation (the _Rsa15 class in jwa.py). Before 0.3.2, it lacks the Random Filling protection mechanism, enabling a remote attacker to potentially obtain cleartext data via a Million Message Attack (MMA). Th...
CVE-2026-39373
CVE-2026-39373 affects JWCrypto (Python) prior to 1.5.7. An unauthenticated attacker can trigger memory exhaustion by sending crafted JWE tokens using ZIP compression; a token under 250 KB can decompress to ~100 MB. The fix is version 1.5.7. This follows CVE-2024-28102: while the 250 KB input lim...