Lucene search

GoogleOSV:GO-2024-2632

HistoryMay 20, 2024 - 7:46 p.m.

JWX vulnerable to a denial of service attack using compressed JWE message in github.com/lestrrat-go/jwx

2024-05-2019:46:23

Google

osv.dev

denial of service

jwe message

github

jwx

vulnerability

memory allocation

processing time

decompression

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

An attacker with a trusted public key may cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory allocation and processing time during decompression.

CPENameOperatorVersion
github.com/lestrrat-go/jwx/v2lt2.0.21
github.com/lestrrat-go/jwxlt1.2.29

CPE	Name	Operator	Version
	github.com/lestrrat-go/jwx/v2	lt	2.0.21
	github.com/lestrrat-go/jwx	lt	1.2.29

References

github.com/lestrrat-go/jwx/commit/d01027d74c7376d66037a10f4f64af9af26a7e34

github.com/lestrrat-go/jwx/commit/d43f2ceb7f0c13714dfe8854d6439766e86faa76

github.com/lestrrat-go/jwx/releases/tag/v1.2.29

github.com/lestrrat-go/jwx/releases/tag/v2.0.21

github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

Related for OSV:GO-2024-2632