CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
13.0%
jose is vulnerable to Denial Of Service (DoS). This vulnerability is due to a flaw in the support for decompressing plaintext post-decryption. An attacker can exploit a scenario with exceptionally high compression ratios, leading to JWE token lengths falling below application-defined limits. This could render existing application-level mechanisms ineffective against resource exhaustion.
github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314
github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b
github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q
lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/
lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/
lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/
lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/
lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/