blob: 3cb6d332ea594809ec77fced6eb8766c34abd0dd [file] [log] [blame]
id: GO-2024-2631
modules:
- module: github.com/go-jose/go-jose/v4
versions:
- fixed: 4.0.1
vulnerable_at: 4.0.0
packages:
- package: github.com/go-jose/go-jose/v4
symbols:
- inflate
derived_symbols:
- JSONWebEncryption.Decrypt
- JSONWebEncryption.DecryptMulti
- module: github.com/go-jose/go-jose/v3
versions:
- fixed: 3.0.3
vulnerable_at: 3.0.2
packages:
- package: github.com/go-jose/go-jose/v3
symbols:
- inflate
derived_symbols:
- JSONWebEncryption.Decrypt
- JSONWebEncryption.DecryptMulti
- module: gopkg.in/go-jose/go-jose.v2
versions:
- fixed: 2.6.3
vulnerable_at: 2.6.2
packages:
- package: gopkg.in/go-jose/go-jose.v2
symbols:
- inflate
derived_symbols:
- JSONWebEncryption.Decrypt
- JSONWebEncryption.DecryptMulti
- module: gopkg.in/square/go-jose.v2
vulnerable_at: 2.6.0
packages:
- package: gopkg.in/square/go-jose.v2
symbols:
- inflate
derived_symbols:
- JSONWebEncryption.Decrypt
- JSONWebEncryption.DecryptMulti
summary: Decompression bomb vulnerability in github.com/go-jose/go-jose
description: |-
An attacker could send a JWE containing compressed data that used large amounts
of memory and CPU when decompressed by Decrypt or DecryptMulti.
cves:
- CVE-2024-28180
ghsas:
- GHSA-c5q2-7r4c-mv6g
credits:
- zer0yu
- chenjj
references:
- advisory: https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
- fix: https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
- fix: https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
- fix: https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
review_status: REVIEWED