Latchset Jwcrypto vulnerabilities

5 known vulnerabilities affecting latchset/jwcrypto.

Total CVEs

5

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

MEDIUM5

Vulnerabilities

Page 1 of 1

CVE-2026-39373MEDIUMCVSS 6.8fixed in 1.5.72026-04-07

CVE-2026-39373 [MEDIUM] CWE-409 JWCrypto: JWE ZIP decompression bomb JWCrypto: JWE ZIP decompression bomb JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-co

cvelistv5ghsaosv

CVE-2024-28102MEDIUMCVSS 6.8fixed in 1.5.6fixed in 1.5.72024-03-21

CVE-2024-28102 [MEDIUM] CWE-770 CVE-2024-28102: JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5 JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability b

cvelistv5ghsanvdosv

CVE-2023-6681MEDIUMCVSS 5.3fixed in 1.5.12024-02-12

CVE-2023-6681 [MEDIUM] CWE-400 CVE-2023-6681: A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (Do A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.

CVE-2022-3102MEDIUM≥ 0, < 1.42022-09-21

CVE-2022-3102 [MEDIUM] jwcrypto token substitution can lead to authentication bypass jwcrypto token substitution can lead to authentication bypass The JWT code can auto-detect the type of token being provided, and this can lead the application to incorrect conclusions about the trustworthiness of the token. Quoting the private disclosure we received : "Under certain circumstances, it is possible to substitute a [..] signed JWS with a JWE that is encrypted with the public key that is normally us

CVE-2016-6298MEDIUMCVSS 5.3fixed in 0.3.22016-09-01

CVE-2016-6298 [MEDIUM] CWE-200 CVE-2016-6298: The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks th The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).