CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
17.1%
github.com/go-jose/go-jose is vulnerable to Data Amplification. The vulnerability due to insufficient checks or controls in the handling of compressed data within the Decrypt or DecryptMulti functions. Specifically, when an attacker sends a JSON Web Encryption (JWE) containing compressed data, the decompression process carried out by these functions results in a substantial consumption of memory and CPU resources, resulting in Denial of Service.
github.com/advisories/GHSA-c5q2-7r4c-mv6g
github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
lists.fedoraproject.org/archives/list/[email protected]/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/
lists.fedoraproject.org/archives/list/[email protected]/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/
lists.fedoraproject.org/archives/list/[email protected]/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/
lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/
lists.fedoraproject.org/archives/list/[email protected]/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/
lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/
lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/
lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/