Vulnerability Details CVE-2024-28102
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 51.0%
CVSS Severity
CVSS v3 Score 6.8
References
- https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
- https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
- https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
- https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
- https://lists.debian.org/debian-lts-announce/2024/09/msg00026.html
- https://www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103
Products affected by CVE-2024-28102
-
cpe:2.3:a:latchset:jwcrypto:-
-
cpe:2.3:a:latchset:jwcrypto:0.1.0
-
cpe:2.3:a:latchset:jwcrypto:0.2.0
-
cpe:2.3:a:latchset:jwcrypto:0.2.1
-
cpe:2.3:a:latchset:jwcrypto:0.3.0
-
cpe:2.3:a:latchset:jwcrypto:0.3.1
-
cpe:2.3:a:latchset:jwcrypto:0.3.2
-
cpe:2.3:a:latchset:jwcrypto:0.4.0
-
cpe:2.3:a:latchset:jwcrypto:0.4.1
-
cpe:2.3:a:latchset:jwcrypto:0.4.2
-
cpe:2.3:a:latchset:jwcrypto:0.5.0
-
cpe:2.3:a:latchset:jwcrypto:0.6.0
-
cpe:2.3:a:latchset:jwcrypto:0.7.0
-
cpe:2.3:a:latchset:jwcrypto:0.8.0
-
cpe:2.3:a:latchset:jwcrypto:0.9.0
-
cpe:2.3:a:latchset:jwcrypto:0.9.1
-
cpe:2.3:a:latchset:jwcrypto:1.0.0
-
cpe:2.3:a:latchset:jwcrypto:1.1.0
-
cpe:2.3:a:latchset:jwcrypto:1.2.0
-
cpe:2.3:a:latchset:jwcrypto:1.3.0
-
cpe:2.3:a:latchset:jwcrypto:1.4.0
-
cpe:2.3:a:latchset:jwcrypto:1.4.1
-
cpe:2.3:a:latchset:jwcrypto:1.4.2
-
cpe:2.3:a:latchset:jwcrypto:1.5.0
-
cpe:2.3:a:latchset:jwcrypto:1.5.1
-
cpe:2.3:a:latchset:jwcrypto:1.5.2
-
cpe:2.3:a:latchset:jwcrypto:1.5.3
-
cpe:2.3:a:latchset:jwcrypto:1.5.4
-
cpe:2.3:a:latchset:jwcrypto:1.5.5
-
cpe:2.3:o:debian:debian_linux:11.0