Bug 2423194 (CVE-2024-29371)

Summary: CVE-2024-29371 jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abrianik, anstephe, aprice, aschwart, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, caswilli, ccranfor, chfoley, clement.escoffier, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drosa, dsimansk, eric.wittmann, fmariani, ggrzybek, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jmartisk, jpechane, jrokos, jsamir, kaycoth, kingland, kverlaen, lthon, manderse, matzew, mnovotny, mosmerov, mposolda, msvehla, nipatil, nwallace, oezr, olubyans, pantinor, parichar, pberan, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rguimara, rkubis, rmartinc, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, ssilvert, sthorger, swoodman, tasato, tcunning, tom.jenkinson, tqvarnst, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2425744, 2425745    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-17 16:01:42 UTC 
In jose4j before 0.9.5, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.