| id: GO-2023-2379 |
| modules: |
| - module: github.com/lestrrat-go/jwx |
| versions: |
| - fixed: 1.2.27 |
| vulnerable_at: 1.2.26 |
| packages: |
| - package: github.com/lestrrat-go/jwx/jwe |
| symbols: |
| - Decrypt |
| - module: github.com/lestrrat-go/jwx/v2 |
| versions: |
| - fixed: 2.0.18 |
| vulnerable_at: 2.0.17 |
| packages: |
| - package: github.com/lestrrat-go/jwx/v2/jwe |
| symbols: |
| - decryptCtx.decryptContent |
| derived_symbols: |
| - Decrypt |
| summary: Denial of service due to malicious parameters in github.com/lestrrat-go/jwx |
| description: |- |
| The JWE key management algorithms based on PBKDF2 require a JOSE Header |
| Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 |
| iterations needed to derive a CEK wrapping key. Its purpose is to intentionally |
| slow down the key derivation function, making password brute-force and |
| dictionary attacks more resource-intensive. However, if an attacker sets the p2c |
| parameter in JWE to a very large number, it can cause excessive computational |
| consumption. |
| cves: |
| - CVE-2023-49290 |
| ghsas: |
| - GHSA-7f9x-gw85-8grf |
| credits: |
| - '@P3ngu1nW' |
| references: |
| - advisory: https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf |
| - fix: https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c |
