CVE-2024-28122 - OpenCVE

JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29
https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21
https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-09T00:45:50.129Z

Updated: 2024-03-09T00:45:50.129Z

Reserved: 2024-03-04T14:19:14.060Z

Link: CVE-2024-28122

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-03-09T01:15:06.940

Modified: 2024-03-11T01:32:39.697

Link: CVE-2024-28122

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-28122", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-04T14:19:14.060Z", "datePublished": "2024-03-09T00:45:50.129Z", "dateUpdated": "2024-03-09T00:45:50.129Z"}, "containers": {"cna": {"title": " JWX vulnerable to a denial of service attack using compressed JWE message", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259"}, {"name": "https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29", "tags": ["x_refsource_MISC"], "url": "https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29"}, {"name": "https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21", "tags": ["x_refsource_MISC"], "url": "https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21"}], "affected": [{"vendor": "lestrrat-go", "product": "jwx", "versions": [{"version": ">= 2.0.0, < 2.0.21", "status": "affected"}, {"version": ">= 1.2.0, < 1.2.29", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-09T00:45:50.129Z"}, "descriptions": [{"lang": "en", "value": " JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21."}], "source": {"advisory": "GHSA-hj3v-m684-v259", "discovery": "UNKNOWN"}}}}