blob: e04c3db009ad23e7c17a25c59bd44cc0574e7bd4 [file] [log] [blame]
id: GO-2023-2334
modules:
- module: github.com/go-jose/go-jose/v3
versions:
- fixed: 3.0.1
vulnerable_at: 3.0.0
packages:
- package: github.com/go-jose/go-jose/v3
symbols:
- symmetricKeyCipher.decryptKey
derived_symbols:
- JSONWebEncryption.Decrypt
- JSONWebEncryption.DecryptMulti
- module: github.com/square/go-jose
vulnerable_at: 2.6.0+incompatible
packages:
- package: github.com/square/go-jose
symbols:
- symmetricKeyCipher.decryptKey
derived_symbols:
- JSONWebEncryption.Decrypt
- JSONWebEncryption.DecryptMulti
summary: |-
Denial of service via decryption of malicious PBES2 JWE objects in
github.com/go-jose/go-jose/v3
description: |-
The go-jose package is subject to a "billion hashes attack" causing
denial-of-service when decrypting JWE inputs. This occurs when an attacker can
provide a PBES2 encrypted JWE blob with a very large p2c value that, when
decrypted, produces a denial-of-service.
ghsas:
- GHSA-2c7c-3mj9-8fqh
references:
- fix: https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e50568
- report: https://github.com/go-jose/go-jose/issues/64
review_status: REVIEWED