Bug 2444248 (CVE-2026-27932)
| Summary: | CVE-2026-27932 joserfc: joserfc: Denial of Service via unbounded PBKDF2 iteration count in JWE decryption | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | caswilli, kaycoth |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in joserfc, a Python library for JSON Object Signing and Encryption (JOSE) standards. An unauthenticated attacker can cause a Denial of Service (DoS) by exploiting a resource exhaustion vulnerability. This occurs when the library decrypts a JSON Web Encryption (JWE) token using Password-Based Encryption (PBES2) algorithms, as it reads the p2c (PBES2 Count) parameter directly from the token's protected header without validation. An attacker can specify an extremely large iteration count for the PBKDF2 key derivation function, forcing the server to expend massive CPU resources processing a single token, leading to CPU exhaustion and a Denial of Service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-03-03 23:02:45 UTC
|