logo

Database

Asymmetric denial of service In python-jose

Description

python-jose denial of service via compressed JWE content python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-336642. NVD-2024-336643. OSV-DEBIAN-2024-336644. OSV-2024-336645. GCVE-2024-336646. SECURITY-TRACKER-CVE-2024-33664

References

1. https://github.com/mpdavis/python-jose/issues/3442. https://github.com/mpdavis/python-jose/pull/3453. https://github.com/mpdavis/python-jose/releases/tag/3.4.04. https://github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2024-233.yaml5. https://www.vicarius.io/vsociety/posts/jwt-bomb-in-python-jose-cve-2024-33664

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.