Fluid Attacks Database

Description

Denial of Service in Connect2id Nimbus JOSE+JWT In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.nimbusds:nimbus-jose-jwt	>=0 <9.37.2	9.37.2

Aliases

1. CVE-2023-524282. NVD-2023-524283. OSV-2023-524284. GCVE-2023-52428

References

1. https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e2. https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/5263. https://connect2id.com/products/nimbus-jose-jwt

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.