blob: ff5170cd9e6bc20a80ef8a205ae2d4115912e176 [file] [log] [blame]
id: GO-2023-2379
modules:
- module: github.com/lestrrat-go/jwx
versions:
- fixed: 1.2.27
vulnerable_at: 1.2.26
packages:
- package: github.com/lestrrat-go/jwx/jwe
symbols:
- Decrypt
- module: github.com/lestrrat-go/jwx/v2
versions:
- fixed: 2.0.18
vulnerable_at: 2.0.17
packages:
- package: github.com/lestrrat-go/jwx/v2/jwe
symbols:
- decryptCtx.decryptContent
derived_symbols:
- Decrypt
summary: Denial of service due to malicious parameters in github.com/lestrrat-go/jwx
description: |-
The JWE key management algorithms based on PBKDF2 require a JOSE Header
Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2
iterations needed to derive a CEK wrapping key. Its purpose is to intentionally
slow down the key derivation function, making password brute-force and
dictionary attacks more resource-intensive. However, if an attacker sets the p2c
parameter in JWE to a very large number, it can cause excessive computational
consumption.
cves:
- CVE-2023-49290
ghsas:
- GHSA-7f9x-gw85-8grf
credits:
- '@P3ngu1nW'
references:
- advisory: https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf
- fix: https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c
review_status: REVIEWED