CVE-2024-28176 : jose is JavaScript module for JSON Object Signing and Encryption, providing supp

jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.

Published 2024-03-09 01:15:07

Updated 2024-03-30 04:15:08

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2024-28176

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-28176

EPSS FAQ

0.25%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 49 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-28176

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H	1.2	3.6	GitHub, Inc.	2024-03-09
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2024-28176

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2024-28176

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/

[SECURITY] Fedora 39 Update: podman-tui-1.0.0-1.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/

[SECURITY] Fedora 39 Update: apptainer-1.3.0-1.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/

[SECURITY] Fedora 38 Update: podman-tui-1.0.0-1.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/

[SECURITY] Fedora 40 Update: podman-tui-1.0.0-1.fc40 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314

fix: add a maxOutputLength option to zlib inflate · panva/jose@02a6579 · GitHub
https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b

fix: add a maxOutputLength option to zlib inflate · panva/jose@1b91d88 · GitHub
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/

[SECURITY] Fedora 40 Update: apptainer-1.3.0-1.fc40 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q

Resource exhaustion via specifically crafted JWE with compressed plaintext · Advisory · panva/jose · GitHub

Jump to

Vulnerability Details : CVE-2024-28176

Products affected by CVE-2024-28176

Exploit prediction scoring system (EPSS) score for CVE-2024-28176

CVSS scores for CVE-2024-28176

CWE ids for CVE-2024-28176

References for CVE-2024-28176