CVE-2024-28180 — Improper Handling of Highly Compressed Data (Data Amplification) in Go-jose
Severity
4.3MEDIUMNVD
EPSS
4.9%
top 10.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 9
Latest updateMar 15
Description
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4
Affected Packages7 packages
Patches
🔴Vulnerability Details
5CVEList
▶
OSV▶
CVE-2024-28180: Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards↗2024-03-09
OSV
▶
GHSA
▶
📋Vendor Advisories
3Microsoft
▶
Debian▶
CVE-2024-28180: golang-github-go-jose-go-jose - Package jose aims to provide an implementation of the Javascript Object Signing ...↗2024