CVE-2024-28180

CVSS V2 None CVSS V3 None

Description

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

Overview

CVE ID
CVE-2024-28180

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-03-09T00:54:46.382Z

Last Modified Date
2024-03-09T00:54:46.382Z

Weakness Enumerations

CWE	URL
CWE-409	http://cwe.mitre.org/data/definitions/409.html

References

Reference URL	Reference Tags
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g	x_refsource_CONFIRM
https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298	x_refsource_MISC
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a	x_refsource_MISC
https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-28180
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 08:03:32				Added to TrackCVE