| id: GO-2024-2632 |
| modules: |
| - module: github.com/lestrrat-go/jwx |
| versions: |
| - fixed: 1.2.29 |
| vulnerable_at: 1.2.28 |
| packages: |
| - package: github.com/lestrrat-go/jwx/jwe |
| symbols: |
| - uncompress |
| - Decrypt |
| derived_symbols: |
| - Message.Decrypt |
| - module: github.com/lestrrat-go/jwx/v2 |
| versions: |
| - fixed: 2.0.21 |
| vulnerable_at: 2.0.20 |
| packages: |
| - package: github.com/lestrrat-go/jwx/v2/jwe |
| symbols: |
| - uncompress |
| - Decrypt |
| - Settings |
| - decryptCtx.decryptContent |
| summary: |- |
| JWX vulnerable to a denial of service attack using compressed JWE message in |
| github.com/lestrrat-go/jwx |
| description: |- |
| An attacker with a trusted public key may cause a Denial-of-Service (DoS) |
| condition by crafting a malicious JSON Web Encryption (JWE) token with an |
| exceptionally high compression ratio. When this token is processed by the |
| recipient, it results in significant memory allocation and processing time |
| during decompression. |
| cves: |
| - CVE-2024-28122 |
| ghsas: |
| - GHSA-hj3v-m684-v259 |
| references: |
| - advisory: https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259 |
| - fix: https://github.com/lestrrat-go/jwx/commit/d01027d74c7376d66037a10f4f64af9af26a7e34 |
| - fix: https://github.com/lestrrat-go/jwx/commit/d43f2ceb7f0c13714dfe8854d6439766e86faa76 |
| - web: https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29 |
| - web: https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21 |
| source: |
| id: GHSA-hj3v-m684-v259 |
| created: 2024-05-17T15:43:27.61183-04:00 |
| review_status: REVIEWED |
