CVE-2024-28176Uncontrolled Resource Consumption in Jose

CWE-400Uncontrolled Resource Consumption6 documents5 sources
Severity
5.9MEDIUMNVD
CNA4.9
EPSS
0.6%
top 31.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Panva JoseJose Project JoseJose-node-cjs-runtime Project Jose-node-cjs-runtime+1 more
Timeline
PublishedMar 9

Description

jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of C

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

CVEListV5panva/jose< 2.0.7+1
NVDjose_project/jose3.0.04.15.5+1
npmjose_project/jose3.0.04.15.5+1
NVDfedoraproject/fedora3840

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2024-28176: jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encr2024-03-09
CVEList
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext2024-03-09
OSV
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext2024-03-07
GHSA
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext2024-03-07

📋Vendor Advisories

1
Red Hat
jose: resource exhaustion2024-03-09
CVE-2024-28176 — Uncontrolled Resource Consumption | cvebase