Bug 2268761 (CVE-2024-28122) - CVE-2024-28122 jwx: denial of service attack using compressed JWE message
Summary: CVE-2024-28122 jwx: denial of service attack using compressed JWE message
Keywords:
Status: NEW
Alias: CVE-2024-28122
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2268762 2268763
Blocks: 2268764
TreeView+ depends on / blocked
 
Reported: 2024-03-10 09:16 UTC by ybuenos
Modified: 2024-03-15 12:10 UTC (History)
3 users (show)

Fixed In Version: jwx 1.2.29, jwx 2.0.21
Doc Type: ---
Doc Text:
An uncontrolled resource consumption vulnerability was found in jwx. This flaw allows an attacker with a trusted public key to cause a denial of service condition by crafting a malicious JWE token with an exceptionally high compression ratio.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description ybuenos 2024-03-10 09:16:31 UTC 
JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.

https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29
https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21
https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259
Comment 1 ybuenos 2024-03-10 09:16:45 UTC 
Created golang-github-lestrrat-jwx tracking bugs for this issue:

Affects: fedora-all [bug 2268762]
Comment 2 ybuenos 2024-03-10 09:24:10 UTC 
Created golang-github-deepmap-oapi-codegen tracking bugs for this issue:

Affects: fedora-all [bug 2268763]
Comment 4 Anten Skrabec 2024-03-15 12:10:55 UTC 
affected packages:
github.com/lestrrat-go/jwx/v1
github.com/lestrrat-go/jwx/v2
Note You need to log in before you can comment on or make changes to this bug.