Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1taHBxLTk2MzgteDZwd84AA38h
Denial of service when decrypting attack controlled input in github.com/dvsekhvalnov/jose2go
An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.
Permalink: https://github.com/advisories/GHSA-mhpq-9638-x6pwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1taHBxLTk2MzgteDZwd84AA38h
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 12 months ago
Updated: 5 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-mhpq-9638-x6pw
References:
- https://github.com/dvsekhvalnov/jose2go/issues/31
- https://github.com/dvsekhvalnov/jose2go/commit/a4584e9dd7128608fedbc67892eba9697f0d5317
- https://www.blackhat.com/us-23/briefings/schedule/#three-new-attacks-against-json-web-tokens-31695
- https://github.com/advisories/GHSA-mhpq-9638-x6pw
Blast Radius: 18.7
Affected Packages
go:github.com/dvsekhvalnov/jose2go
Dependent packages: 4,857Dependent repositories: 3,430
Downloads:
Affected Version Ranges: < 1.5.1-0.20231206184617-48ba0b76bc88
Fixed in: 1.5.1-0.20231206184617-48ba0b76bc88
All affected versions: 1.5.0
All unaffected versions: 1.6.0, 1.7.0, 1.8.0