CVE-2024-28102

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97

Configurations

No configuration.

History

21 Mar 2024, 12:58

Type	Values Removed	Values Added
Summary		(es) JWCrypto implementa las especificaciones JWK, JWS y JWE utilizando criptografía Python. Antes de la versión 1.5.6, un atacante podía provocar un ataque de denegación de servicio al pasar un token JWE malicioso con una alta tasa de compresión. Cuando el servidor procese este token, consumirá mucha memoria y tiempo de procesamiento. La versión 1.5.6 corrige esta vulnerabilidad limitando la longitud máxima del token.

21 Mar 2024, 02:52

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-21 02:52

Updated : 2024-03-21 12:58

NVD link : CVE-2024-28102

Mitre link : CVE-2024-28102

CVE.ORG link : CVE-2024-28102

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

6.8 /10