2270538 – (CVE-2023-50967) CVE-2023-50967 jose: Denial of service due to uncontrolled CPU consumption

Bug 2270538 (CVE-2023-50967) - CVE-2023-50967 jose: Denial of service due to uncontrolled CPU consumption

Summary: CVE-2023-50967 jose: Denial of service due to uncontrolled CPU consumption

Keywords:
Status:	NEW
Alias:	CVE-2023-50967
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2270539
Blocks:	2270540
TreeView+	depends on / blocked

Reported:	2024-03-20 20:35 UTC by Marco Benatto
Modified:	2024-04-13 01:18 UTC (History)
CC List:	23 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Jose package, where a large number of iterations used to derive the wrapping key for the PBKDF2 algorithm may lead to a denial of service. This flaw allows an attacker to set a large number of `PBKDF2' iterations, triggering an uncontrolled resource consumption that impacts the availability of the targeted application.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2024-03-20 20:35:59 UTC

latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md
https://github.com/latchset/jose

Comment 1 Marco Benatto 2024-03-20 20:36:35 UTC

Created jose tracking bugs for this issue:

Affects: fedora-all [bug 2270539]

Note You need to log in before you can comment on or make changes to this bug.

dhanak
dsimansk
gparvin
jchui
jkoehler
kingland
ktsao
kverlaen
lbainbri
matzew
mnovotny
nboldt
njean
owatkins
pahickey
pierdipi
rguimara
rhaigner
rhuss
rtaniwa
sdawley
skontopo
tkral