CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
org.apache.cxf: cxf-rt-rs-security-jose is vulnerable to Denial Of Service (DoS). The vulnerability is due to missing size restrictions in the p2c
(PBES2 count) parameter, which allows an attacker to perform a Denial Of Service attack by specifying a large value for this parameter in a token.
github.com/advisories/GHSA-6pff-fmh2-4mmf
github.com/apache/cxf/commit/20793d3fed2e73e2785a58ec5b47403306ae4a5c
github.com/apache/cxf/commit/2d2baa3455db7439bf1ed4e00edfc5a7106edf7d
github.com/apache/cxf/commit/d1d77c34c199c2c87ebcfe23e3c81dccfe2e2473
lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633