FKIE_CVE-2024-28102

Vulnerability from fkie_nvd - Published: 2024-03-21 02:52 - Updated: 2024-11-21 09:05
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Summary
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.
References
security-advisories@github.comhttps://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
security-advisories@github.comhttps://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
af854a3a-2127-422b-91ae-364da2661108https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
af854a3a-2127-422b-91ae-364da2661108https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/09/msg00026.html
af854a3a-2127-422b-91ae-364da2661108https://www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length."
    },
    {
      "lang": "es",
      "value": "JWCrypto implementa las especificaciones JWK, JWS y JWE utilizando criptograf\u00eda Python. Antes de la versi\u00f3n 1.5.6, un atacante pod\u00eda provocar un ataque de denegaci\u00f3n de servicio al pasar un token JWE malicioso con una alta tasa de compresi\u00f3n. Cuando el servidor procese este token, consumir\u00e1 mucha memoria y tiempo de procesamiento. La versi\u00f3n 1.5.6 corrige esta vulnerabilidad limitando la longitud m\u00e1xima del token."
    }
  ],
  "id": "CVE-2024-28102",
  "lastModified": "2024-11-21T09:05:49.187",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-03-21T02:52:23.513",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00026.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.