GitHub_MCVELIST:CVE-2024-28122CVE-2024-28122 JWX vulnerable to a denial of service attack using compressed JWE message
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
15.8%
JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.
CNA Affected
[
{
"vendor": "lestrrat-go",
"product": "jwx",
"versions": [
{
"version": ">= 2.0.0, < 2.0.21",
"status": "affected"
},
{
"version": ">= 1.2.0, < 1.2.29",
"status": "affected"
}
]
}
]Related
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
15.8%