GitHub_MVULNRICHMENT:CVE-2024-28122CVE-2024-28122 JWX vulnerable to a denial of service attack using compressed JWE message
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
AI Score
Confidence
Low
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial
JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:lestrrat-go:jwx:2.0.0:*:*:*:*:*:*:*"
],
"vendor": "lestrrat-go",
"product": "jwx",
"versions": [
{
"status": "affected",
"version": "2.0.0",
"lessThan": "2.0.21",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:a:lestrrat-go:jwx:1.2.0:*:*:*:*:*:*:*"
],
"vendor": "lestrrat-go",
"product": "jwx",
"versions": [
{
"status": "affected",
"version": "1.2.0",
"lessThan": "1.2.29",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
AI Score
Confidence
Low
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial