Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yYzdjLTNtajktOGZxaM4AA3S1

Decryption of malicious PBES2 JWE objects can consume unbounded system resources

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

Permalink: https://github.com/advisories/GHSA-2c7c-3mj9-8fqh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yYzdjLTNtajktOGZxaM4AA3S1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 9 months ago


Identifiers: GHSA-2c7c-3mj9-8fqh
References: Repository: https://github.com/go-jose/go-jose
Blast Radius: 0.0

Affected Packages

go:github.com/square/go-jose
Dependent packages: 158
Dependent repositories: 507
Downloads:
Affected Version Ranges: < 2.6.2
Fixed in: 2.6.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0
All unaffected versions:
go:github.com/go-jose/go-jose/v3
Dependent packages: 2,511
Dependent repositories: 2,218
Downloads:
Affected Version Ranges: < 3.0.1
Fixed in: 3.0.1
All affected versions: 3.0.0
All unaffected versions: 3.0.1, 3.0.2, 3.0.3