Lucene search

GitHub Advisory DatabaseGHSA-GVPG-VGMX-XG6W

HistoryFeb 11, 2024 - 6:30 a.m.

Denial of Service in Connect2id Nimbus JOSE+JWT

2024-02-1106:30:27

CWE-400

GitHub Advisory Database

github.com

connect2id

nimbus jose+jwt

denial of service

passwordbaseddecrypter

pbkdf2

AI Score

Confidence

High

EPSS

Percentile

15.5%

JSON

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Affected configurations

Vulners

Node

connect2idnimbus_jose\+jwtRange<9.37.2

VendorProductVersionCPE
connect2idnimbus_jose\+jwt*cpe:2.3:a:connect2id:nimbus_jose\+jwt:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
connect2id	nimbus_jose\+jwt	*	cpe:2.3:a:connect2id:nimbus_jose\+jwt::::::::

References

bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e

bitbucket.org/connect2id/nimbus-jose-jwt/issues/526

connect2id.com/products/nimbus-jose-jwt

github.com/advisories/GHSA-gvpg-vgmx-xg6w

nvd.nist.gov/vuln/detail/CVE-2023-52428