Fluid Attacks Database

Description

Jose was found to have an uncontrolled resource consumption vulnerability. Under certain conditions, the user's environment can consume an unreasonable amount of CPU time or memory during JWE decryption operations, leading to a denial of service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	jose-node-cjs-runtime	>=0 <4.15.5	4.15.5
npm	jose-node-esm-runtime	>=0 <4.15.5	4.15.5
npm	jose	>=3.0.0 <4.15.5 \|\| >=0 <2.0.7	4.15.5, 2.0.7
rpm rhel9	jose	<0:14-1.el9	0:14-1.el9
rpm rhel9	podman	<4:4.9.4-4.el9_4	4:4.9.4-4.el9_4
rpm rhel8	jose	<0:10-2.el8_10.3	0:10-2.el8_10.3
rpm rhel7	jose	-	-
rpm rhel9	buildah	<2:1.33.7-2.el9_4	2:1.33.7-2.el9_4

Aliases

1. CVE-2024-281762. NVD-2024-281763. OSV-2024-281764. GHSA-hhhv-q57g-882q5. GCVE-2024-28176

References

1. https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q2. https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a93143. https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b4. https://lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG5. https://lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY6. https://lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG7. https://lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY8. https://lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH