CVE-2024-33663

CVE-2024-33663 concerns python-jose up to version 3.3.0, where an algorithm confusion occurs between OpenSSH ECDSA keys and other key formats. The issue, described across multiple feeds (CNNVD, Debian tracker, CVE lists), is analogous to CVE-2022-29217 and is framed as a key-format/algorithm conf...

CVE-2024-33664

The CVE-2024-33664 entry concerns python-jose up to version 3.3.0, where decoding a crafted high-compression JWE token can cause resource exhaustion (denial of service). The vulnerability is triggered during decode of a JSON Web Encryption token with a high compression ratio, and is noted as simi...

CVE-2016-7036

CVE-2016-7036 affects the Python package python-jose before version 1.3.2 . The vulnerability arises from not using a constant-time comparison when validating HMAC keys, allowing an attacker to induce an unspecified impact. Public sources in the connected set confirm the issue and point to a fix ...

CVE-2024-29370

CVE-2024-29370 affects python-jose 3.3.0 (jwe.decrypt). An attacker can craft a malicious JWE with an exceptionally high compression ratio, causing a Denial-of-Service through heavy memory allocation and processing time during decompression. The CVSS vector in the description indicates Availabili...