Jose-Node-Cjs-Runtime Project Jose-Node-Cjs-Runtime vulnerabilities
5 known vulnerabilities affecting jose-node-cjs-runtime_project/jose-node-cjs-runtime.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2024-28176MEDIUM≥ 0, < 4.15.52024-03-07
CVE-2024-28176 [MEDIUM] CWE-400 jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing plaintext after its decryption](https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.3). This allows an adversary to exploit spec
ghsaosv
CVE-2022-36083MEDIUM≥ 3.0.0, < 3.20.4≥ 4.0.0, < 4.9.22022-09-16
CVE-2022-36083 [MEDIUM] CWE-400 JOSE vulnerable to resource exhaustion via specifically crafted JWE
JOSE vulnerable to resource exhaustion via specifically crafted JWE
The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the
ghsaosv
CVE-2021-29446MEDIUMCVSS 5.9fixed in 3.11.42021-04-16
CVE-2021-29446 [MEDIUM] CWE-203 CVE-2021-29446: jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versi
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly obs
ghsanvdosv
CVE-2021-29445MEDIUMCVSS 5.9fixed in 3.11.42021-04-16
CVE-2021-29445 [MEDIUM] CWE-203 CVE-2021-29445: jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versi
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly obs
nvd
CVE-2021-29444MEDIUMCVSS 5.9fixed in 3.11.42021-04-16
CVE-2021-29444 [MEDIUM] CWE-203 CVE-2021-29444: jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versio
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly obse
nvd