logo

Database

Asymmetric denial of service In github.com/dvsekhvalnov/jose2go

Description

Duplicate Advisory: Denial of service when decrypting attack controlled input in github.com/dvsekhvalnov/jose2go

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-6294-6rgp-fr7r. This link is maintained to preserve external references.

Original Description

An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-mhpq-9638-x6pw

References

1. https://github.com/dvsekhvalnov/jose2go/issues/312. https://github.com/dvsekhvalnov/jose2go/commit/a4584e9dd7128608fedbc67892eba9697f0d53173. https://www.blackhat.com/us-23/briefings/schedule/#three-new-attacks-against-json-web-tokens-31695

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.