CVE-2024-28102 JWCrypto vulnerable to JWT bomb Attack in `deserialize` function

2024-03-0621:09:58

CWE-770

GitHub_M

github.com

jwcrypto

jwt bomb attack

deserialize function

python-cryptography

jwk

jws

jwe

denial of service

memory consumption

version 1.5.6 fix

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

AI Score

6.5

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

CNA Affected

[
  {
    "vendor": "latchset",
    "product": "jwcrypto",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.5.6"
      }
    ]
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:latchset:jwcrypto:*:*:*:*:*:*:*:*"
    ],
    "vendor": "latchset",
    "product": "jwcrypto",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.5.6",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]