Veracode Vulnerability DatabaseVERACODE:36972Denial Of Service (DoS)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
18.3%
jose is vulnerable to denial of service. The vulnerability exists in the multiple functions in decrypt.ts due to not limiting the computational expense of default PBES2 algorithm, allowing an attacker to crash the application by providing malicious input.
References
github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d
github.com/panva/jose/commit/4e7121a58872f01cc5fc586d4907f857c23d0119
github.com/panva/jose/commit/c1512be6601a8b6e5a8193fbda9ecdf25349a1c2
github.com/panva/jose/commit/d530c30af5d5156552accfcdf0b059696e17c44c
github.com/panva/jose/releases/tag/v1.28.2
github.com/panva/jose/releases/tag/v2.0.6
github.com/panva/jose/releases/tag/v3.20.4
github.com/panva/jose/releases/tag/v4.9.2
github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
18.3%