Bug 2260843 (CVE-2023-6681) - CVE-2023-6681 JWCrypto: denail of service Via specifically crafted JWE
Summary: CVE-2023-6681 JWCrypto: denail of service Via specifically crafted JWE
Status: NEW
Alias: CVE-2023-6681
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2263861 2263862
Blocks: 2260847
TreeView+ depends on / blocked
Reported: 2024-01-29 11:11 UTC by Rohit Keshri
Modified: 2024-04-17 09:55 UTC (History)
14 users (show)

Fixed In Version: jwcrypto 1.5.1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Rohit Keshri 2024-01-29 11:11:13 UTC
The JWE key management algorithms based on PBKDF2 require a JOSE Header
Parameter called p2c (PBES2 Count). This parameter dictates the number of
PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose
is to intentionally slow down the key derivation function, making password
brute-force and dictionary attacks more resource- intensive.

Therefore, if an attacker sets the p2c parameter in JWE to a very large
number, it can cause a lot of computational consumption, resulting in a DOS

Comment 3 Guilherme de Almeida Suckevicz 2024-02-12 13:20:28 UTC
Created python-jwcrypto tracking bugs for this issue:

Affects: fedora-38 [bug 2263861]
Affects: fedora-39 [bug 2263862]

Note You need to log in before you can comment on or make changes to this bug.