Bug 2268854 (CVE-2024-28180) - CVE-2024-28180 jose-go: improper handling of highly compressed data
Summary: CVE-2024-28180 jose-go: improper handling of highly compressed data
Keywords:
Status: NEW
Alias: CVE-2024-28180
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2268872 2268873 2268871 2268874 2268875 2268876 2268877 2268878 2268879 2268880 2268881 2268882 2268883 2268884 2268885 2268886 2268887 2268888 2268889 2268890 2268891 2268892 2268893 2268894 2268895 2268896 2268897 2268898 2268899 2268901 2268902 2268903 2268904 2268905 2268909 2268910 2268911 2268912 2268913 2268914 2268915 2268916 2268917 2268918 2269205 2276638 2276653 2276654 2276655 2276656 2276657 2276658 2306538 2306540
Blocks: 2268846
TreeView+ depends on / blocked
 
Reported: 2024-03-10 20:20 UTC by ybuenos
Modified: 2025-05-06 08:28 UTC (History)
118 users (show)

Fixed In Version: go-jose 4.0.1, go-jose 3.0.3, go-jose 2.6.3
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1661 0 None None None 2024-04-03 10:23:33 UTC
Red Hat Product Errata RHBA-2024:2860 0 None None None 2024-05-15 21:21:18 UTC
Red Hat Product Errata RHBA-2024:3978 0 None None None 2024-06-18 09:34:32 UTC
Red Hat Product Errata RHBA-2024:4109 0 None None None 2024-06-26 01:10:05 UTC
Red Hat Product Errata RHBA-2024:4195 0 None None None 2024-07-01 07:34:00 UTC
Red Hat Product Errata RHBA-2024:4196 0 None None None 2024-07-01 07:45:31 UTC
Red Hat Product Errata RHSA-2024:0041 0 None None None 2024-06-27 11:24:32 UTC
Red Hat Product Errata RHSA-2024:1456 0 None None None 2024-03-27 00:41:42 UTC
Red Hat Product Errata RHSA-2024:1563 0 None None None 2024-04-02 21:38:09 UTC
Red Hat Product Errata RHSA-2024:1567 0 None None None 2024-04-03 16:00:25 UTC
Red Hat Product Errata RHSA-2024:1574 0 None None None 2024-04-03 07:36:38 UTC
Red Hat Product Errata RHSA-2024:1812 0 None None None 2024-04-15 05:44:41 UTC
Red Hat Product Errata RHSA-2024:1859 0 None None None 2024-04-16 17:26:34 UTC
Red Hat Product Errata RHSA-2024:2049 0 None None None 2024-05-02 16:56:16 UTC
Red Hat Product Errata RHSA-2024:2054 0 None None None 2024-05-02 15:47:00 UTC
Red Hat Product Errata RHSA-2024:2071 0 None None None 2024-05-02 14:47:10 UTC
Red Hat Product Errata RHSA-2024:2639 0 None None None 2024-05-01 02:44:46 UTC
Red Hat Product Errata RHSA-2024:2669 0 None None None 2024-05-09 14:12:02 UTC
Red Hat Product Errata RHSA-2024:2672 0 None None None 2024-05-09 17:13:48 UTC
Red Hat Product Errata RHSA-2024:2773 0 None None None 2024-05-15 18:44:12 UTC
Red Hat Product Errata RHSA-2024:2776 0 None None None 2024-05-15 19:00:59 UTC
Red Hat Product Errata RHSA-2024:2784 0 None None None 2024-05-16 18:31:15 UTC
Red Hat Product Errata RHSA-2024:2865 0 None None None 2024-05-21 09:37:56 UTC
Red Hat Product Errata RHSA-2024:2869 0 None None None 2024-05-23 08:24:57 UTC
Red Hat Product Errata RHSA-2024:2875 0 None None None 2024-05-23 18:11:12 UTC
Red Hat Product Errata RHSA-2024:2877 0 None None None 2024-05-23 18:41:58 UTC
Red Hat Product Errata RHSA-2024:3254 0 None None None 2024-05-22 11:38:26 UTC
Red Hat Product Errata RHSA-2024:3327 0 None None None 2024-05-29 15:42:06 UTC
Red Hat Product Errata RHSA-2024:3349 0 None None None 2024-05-30 03:55:31 UTC
Red Hat Product Errata RHSA-2024:3351 0 None None None 2024-05-30 04:11:47 UTC
Red Hat Product Errata RHSA-2024:3523 0 None None None 2024-06-10 16:09:00 UTC
Red Hat Product Errata RHSA-2024:3718 0 None None None 2024-10-01 17:30:39 UTC
Red Hat Product Errata RHSA-2024:3826 0 None None None 2024-06-11 19:40:55 UTC
Red Hat Product Errata RHSA-2024:3827 0 None None None 2024-06-11 19:41:21 UTC
Red Hat Product Errata RHSA-2024:3968 0 None None None 2024-06-18 00:29:22 UTC
Red Hat Product Errata RHSA-2024:4006 0 None None None 2024-06-27 02:13:00 UTC
Red Hat Product Errata RHSA-2024:4010 0 None None None 2024-06-26 02:06:21 UTC
Red Hat Product Errata RHSA-2024:4028 0 None None None 2024-06-20 13:20:45 UTC
Red Hat Product Errata RHSA-2024:4041 0 None None None 2024-06-26 12:06:26 UTC
Red Hat Product Errata RHSA-2024:4455 0 None None None 2024-07-10 12:41:14 UTC
Red Hat Product Errata RHSA-2024:4484 0 None None None 2024-07-17 01:36:00 UTC
Red Hat Product Errata RHSA-2024:4591 0 None None None 2024-07-17 13:15:50 UTC
Red Hat Product Errata RHSA-2024:6687 0 None None None 2024-09-19 05:39:09 UTC
Red Hat Product Errata RHSA-2024:7164 0 None None None 2024-09-26 03:48:11 UTC
Red Hat Product Errata RHSA-2024:7179 0 None None None 2024-10-02 05:50:00 UTC
Red Hat Product Errata RHSA-2024:8229 0 None None None 2024-10-23 05:29:29 UTC
Red Hat Product Errata RHSA-2024:8235 0 None None None 2024-10-23 13:15:30 UTC
Red Hat Product Errata RHSA-2024:8260 0 None None None 2024-10-24 10:45:05 UTC
Red Hat Product Errata RHSA-2024:8425 0 None None None 2024-10-31 03:37:41 UTC

Description ybuenos 2024-03-10 20:20:23 UTC 
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
Comment 1 ybuenos 2024-03-10 20:57:32 UTC 
Created apptainer tracking bugs for this issue:

Affects: epel-all [bug 2268871]
Affects: fedora-all [bug 2268875]


Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2268876]


Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2268872]
Affects: fedora-all [bug 2268877]


Created containerd tracking bugs for this issue:

Affects: fedora-all [bug 2268878]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268879]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2268873]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268880]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268881]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268882]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268883]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268884]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2268885]


Created golang-github-acme-lego tracking bugs for this issue:

Affects: fedora-all [bug 2268886]


Created golang-github-in-toto tracking bugs for this issue:

Affects: fedora-all [bug 2268887]


Created golang-github-jose-3 tracking bugs for this issue:

Affects: fedora-all [bug 2268888]


Created golang-github-letsencrypt-pebble tracking bugs for this issue:

Affects: fedora-all [bug 2268889]


Created golang-gopkg-square-jose-2 tracking bugs for this issue:

Affects: fedora-all [bug 2268890]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2268891]


Created jose tracking bugs for this issue:

Affects: fedora-all [bug 2268899]


Created moby-engine tracking bugs for this issue:

Affects: fedora-all [bug 2268892]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2268893]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2268894]


Created podman-tui tracking bugs for this issue:

Affects: fedora-all [bug 2268895]


Created prometheus-podman-exporter tracking bugs for this issue:

Affects: fedora-all [bug 2268896]


Created singularity-ce tracking bugs for this issue:

Affects: epel-all [bug 2268874]
Affects: fedora-all [bug 2268897]


Created skopeo tracking bugs for this issue:

Affects: fedora-all [bug 2268898]
Comment 12 errata-xmlrpc 2024-03-27 00:41:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:1456 https://access.redhat.com/errata/RHSA-2024:1456
Comment 13 errata-xmlrpc 2024-04-02 21:38:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1563 https://access.redhat.com/errata/RHSA-2024:1563
Comment 14 errata-xmlrpc 2024-04-03 07:36:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1574 https://access.redhat.com/errata/RHSA-2024:1574
Comment 15 errata-xmlrpc 2024-04-03 16:00:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1567 https://access.redhat.com/errata/RHSA-2024:1567
Comment 16 errata-xmlrpc 2024-04-15 05:44:36 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2024:1812 https://access.redhat.com/errata/RHSA-2024:1812
Comment 17 errata-xmlrpc 2024-04-16 17:26:27 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859
Comment 28 errata-xmlrpc 2024-05-01 02:44:38 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2024:2639 https://access.redhat.com/errata/RHSA-2024:2639
Comment 29 errata-xmlrpc 2024-05-02 14:47:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2071 https://access.redhat.com/errata/RHSA-2024:2071
Comment 30 errata-xmlrpc 2024-05-02 15:46:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2054 https://access.redhat.com/errata/RHSA-2024:2054
Comment 31 errata-xmlrpc 2024-05-02 16:56:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2049 https://access.redhat.com/errata/RHSA-2024:2049
Comment 34 errata-xmlrpc 2024-05-09 14:11:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2669 https://access.redhat.com/errata/RHSA-2024:2669
Comment 35 errata-xmlrpc 2024-05-09 17:13:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2672 https://access.redhat.com/errata/RHSA-2024:2672
Comment 36 errata-xmlrpc 2024-05-15 18:44:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2773 https://access.redhat.com/errata/RHSA-2024:2773
Comment 37 errata-xmlrpc 2024-05-15 19:00:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2776 https://access.redhat.com/errata/RHSA-2024:2776
Comment 38 errata-xmlrpc 2024-05-16 18:31:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:2784 https://access.redhat.com/errata/RHSA-2024:2784
Comment 39 errata-xmlrpc 2024-05-21 09:37:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2865 https://access.redhat.com/errata/RHSA-2024:2865
Comment 40 errata-xmlrpc 2024-05-22 11:38:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3254 https://access.redhat.com/errata/RHSA-2024:3254
Comment 41 errata-xmlrpc 2024-05-23 08:24:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2869 https://access.redhat.com/errata/RHSA-2024:2869
Comment 42 errata-xmlrpc 2024-05-23 18:11:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2875 https://access.redhat.com/errata/RHSA-2024:2875
Comment 43 errata-xmlrpc 2024-05-23 18:41:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2877 https://access.redhat.com/errata/RHSA-2024:2877
Comment 44 errata-xmlrpc 2024-05-29 15:41:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:3327 https://access.redhat.com/errata/RHSA-2024:3327
Comment 45 errata-xmlrpc 2024-05-30 03:55:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:3349 https://access.redhat.com/errata/RHSA-2024:3349
Comment 46 errata-xmlrpc 2024-05-30 04:11:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:3351 https://access.redhat.com/errata/RHSA-2024:3351
Comment 49 errata-xmlrpc 2024-06-10 16:08:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:3523 https://access.redhat.com/errata/RHSA-2024:3523
Comment 50 errata-xmlrpc 2024-06-11 19:40:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3826 https://access.redhat.com/errata/RHSA-2024:3826
Comment 51 errata-xmlrpc 2024-06-11 19:41:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3827 https://access.redhat.com/errata/RHSA-2024:3827
Comment 52 errata-xmlrpc 2024-06-18 00:29:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3968 https://access.redhat.com/errata/RHSA-2024:3968
Comment 53 errata-xmlrpc 2024-06-20 13:20:35 UTC 
This issue has been addressed in the following products:

  RHOSS-1.33-RHEL-8

Via RHSA-2024:4028 https://access.redhat.com/errata/RHSA-2024:4028
Comment 54 errata-xmlrpc 2024-06-26 02:06:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:4010 https://access.redhat.com/errata/RHSA-2024:4010
Comment 55 errata-xmlrpc 2024-06-26 12:06:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:4041 https://access.redhat.com/errata/RHSA-2024:4041
Comment 56 errata-xmlrpc 2024-06-27 02:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:4006 https://access.redhat.com/errata/RHSA-2024:4006
Comment 57 errata-xmlrpc 2024-06-27 11:24:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:0041 https://access.redhat.com/errata/RHSA-2024:0041
Comment 58 errata-xmlrpc 2024-07-10 12:41:06 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.16

Via RHSA-2024:4455 https://access.redhat.com/errata/RHSA-2024:4455
Comment 60 errata-xmlrpc 2024-07-17 01:35:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:4484 https://access.redhat.com/errata/RHSA-2024:4484
Comment 61 errata-xmlrpc 2024-07-17 13:15:41 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591
Comment 62 errata-xmlrpc 2024-09-19 05:39:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6687 https://access.redhat.com/errata/RHSA-2024:6687
Comment 63 errata-xmlrpc 2024-09-26 03:48:01 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:7164 https://access.redhat.com/errata/RHSA-2024:7164
Comment 64 errata-xmlrpc 2024-10-01 17:30:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:3718 https://access.redhat.com/errata/RHSA-2024:3718
Comment 65 errata-xmlrpc 2024-10-02 05:49:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:7179 https://access.redhat.com/errata/RHSA-2024:7179
Comment 66 errata-xmlrpc 2024-10-23 05:29:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:8229 https://access.redhat.com/errata/RHSA-2024:8229
Comment 67 errata-xmlrpc 2024-10-23 13:15:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:8235 https://access.redhat.com/errata/RHSA-2024:8235
Comment 68 errata-xmlrpc 2024-10-24 10:44:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:8260 https://access.redhat.com/errata/RHSA-2024:8260
Comment 69 errata-xmlrpc 2024-10-31 03:37:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:8425 https://access.redhat.com/errata/RHSA-2024:8425
Note You need to log in before you can comment on or make changes to this bug.