CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
13.0%
jose is JavaScript module for JSON Object Signing and Encryption, providing
support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web
Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A
vulnerability has been identified in the JSON Web Encryption (JWE)
decryption interfaces, specifically related to the support for
decompressing plaintext after its decryption. Under certain conditions it
is possible to have the user’s environment consume unreasonable amount of
CPU time or memory during JWE Decryption operations. This issue has been
patched in versions 2.0.7 and 4.15.5.
github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314
github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b
github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q
launchpad.net/bugs/cve/CVE-2024-28176
nvd.nist.gov/vuln/detail/CVE-2024-28176
security-tracker.debian.org/tracker/CVE-2024-28176
www.cve.org/CVERecord?id=CVE-2024-28176