Bug 2423194 (CVE-2024-29371)
| Summary: | CVE-2024-29371 jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abrianik, anstephe, ant, aprice, aschwart, asoldano, aszczucz, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, bstansbe, caswilli, ccranfor, cescoffi, chfoley, clement.escoffier, dandread, darran.lofthouse, dhanak, dkreling, dlofthou, dosoudil, drichtar, drosa, dsimansk, eric.wittmann, ewittman, fmariani, ggrzybek, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jmartisk, jpechane, jraez, jrokos, jsamir, kaycoth, kingland, kverlaen, lthon, manderse, matzew, mnovotny, mosmerov, mposolda, msvehla, nipatil, nwallace, oezr, olubyans, pantinor, parichar, pberan, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rgodfrey, rguimara, rkubis, rmartinc, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, ssilvert, sthorger, swoodman, tasato, tcunning, thjenkin, tom.jenkinson, tqvarnst, vdosoudi, vmuzikar, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2425745, 2425744 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-12-17 16:01:42 UTC
This issue has been addressed in the following products: Streams for Apache Kafka 3.2.0 Via RHSA-2026:13571 https://access.redhat.com/errata/RHSA-2026:13571 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Via RHSA-2026:33371 https://access.redhat.com/errata/RHSA-2026:33371 This issue has been addressed in the following products: Streams for Apache Kafka 2.9.4 Via RHSA-2026:34608 https://access.redhat.com/errata/RHSA-2026:34608 |