Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yYzdjLTNtajktOGZxaM4AA3S1
Decryption of malicious PBES2 JWE objects can consume unbounded system resources
The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.
Permalink: https://github.com/advisories/GHSA-2c7c-3mj9-8fqhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yYzdjLTNtajktOGZxaM4AA3S1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 2 months ago
Identifiers: GHSA-2c7c-3mj9-8fqh
References:
- https://github.com/go-jose/go-jose/issues/64
- https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e50568
- https://github.com/go-jose/go-jose/commit/a3d307244c3bc50b25a71aa0688764c32ec419c7
- https://github.com/advisories/GHSA-2c7c-3mj9-8fqh
Blast Radius: 0.0
Affected Packages
go:github.com/square/go-jose
Dependent packages: 158Dependent repositories: 507
Downloads:
Affected Version Ranges: < 2.6.2
Fixed in: 2.6.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0
All unaffected versions:
go:github.com/go-jose/go-jose/v3
Dependent packages: 1,417Dependent repositories: 2,218
Downloads:
Affected Version Ranges: < 3.0.1
Fixed in: 3.0.1
All affected versions: 3.0.0
All unaffected versions: 3.0.1