Bug 2266921 (CVE-2023-51775) - CVE-2023-51775 jose4j: denial of service via specially crafted JWE
Summary: CVE-2023-51775 jose4j: denial of service via specially crafted JWE
Keywords:
Status: NEW
Alias: CVE-2023-51775
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2266927
TreeView+ depends on / blocked
 
Reported: 2024-02-29 08:52 UTC by Rohit Keshri
Modified: 2025-05-06 08:29 UTC (History)
84 users (show)

Fixed In Version: jose4j 0.9.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:3550 0 None None None 2024-06-03 11:53:57 UTC
Red Hat Product Errata RHSA-2024:4057 0 None None None 2024-06-24 01:38:56 UTC
Red Hat Product Errata RHSA-2024:4386 0 None None None 2024-07-08 20:04:53 UTC
Red Hat Product Errata RHSA-2024:4392 0 None None None 2024-07-08 22:19:14 UTC
Red Hat Product Errata RHSA-2024:4873 0 None None None 2024-07-25 15:04:59 UTC
Red Hat Product Errata RHSA-2024:6536 0 None None None 2025-03-07 11:29:46 UTC
Red Hat Product Errata RHSA-2024:8075 0 None None None 2024-10-14 18:00:34 UTC
Red Hat Product Errata RHSA-2024:8076 0 None None None 2024-10-14 17:59:50 UTC
Red Hat Product Errata RHSA-2024:8077 0 None None None 2024-10-14 17:59:11 UTC
Red Hat Product Errata RHSA-2024:8080 0 None None None 2024-10-14 18:07:11 UTC

Description Rohit Keshri 2024-02-29 08:52:25 UTC 
The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

https://bitbucket.org/b_c/jose4j/issues/212
Comment 6 errata-xmlrpc 2024-06-03 11:53:52 UTC 
This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:3550 https://access.redhat.com/errata/RHSA-2024:3550
Comment 8 errata-xmlrpc 2024-06-24 01:38:51 UTC 
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4057 https://access.redhat.com/errata/RHSA-2024:4057
Comment 9 errata-xmlrpc 2024-07-08 20:04:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:4386 https://access.redhat.com/errata/RHSA-2024:4386
Comment 10 errata-xmlrpc 2024-07-08 22:19:10 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:4392 https://access.redhat.com/errata/RHSA-2024:4392
Comment 13 errata-xmlrpc 2024-07-25 15:04:53 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apicurio Registry 2.6.1 GA

Via RHSA-2024:4873 https://access.redhat.com/errata/RHSA-2024:4873
Comment 14 errata-xmlrpc 2024-10-14 17:59:07 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2024:8077 https://access.redhat.com/errata/RHSA-2024:8077
Comment 15 errata-xmlrpc 2024-10-14 17:59:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2024:8076 https://access.redhat.com/errata/RHSA-2024:8076
Comment 16 errata-xmlrpc 2024-10-14 18:00:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2024:8075 https://access.redhat.com/errata/RHSA-2024:8075
Comment 17 errata-xmlrpc 2024-10-14 18:07:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2024:8080 https://access.redhat.com/errata/RHSA-2024:8080
Comment 22 errata-xmlrpc 2025-03-07 11:29:41 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.5.2

Via RHSA-2024:6536 https://access.redhat.com/errata/RHSA-2024:6536
Note You need to log in before you can comment on or make changes to this bug.