Cisco Node-Jose vulnerabilities

CVE-2023-25653 [HIGH] CWE-835 CVE-2023-25653: node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web br node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. F

CVE-2022-36083 [MEDIUM] CVE-2022-36083: JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, which determines how many PBKDF2 iterations must

CVE-2017-16007 [MEDIUM] CWE-200 CVE-2017-16007: node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for curren node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral

CVE-2018-0114 [HIGH] CWE-347 CVE-2018-0114: A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthentica A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). This standard specifies that a JSON Web Key (JWK) repre