Fluid Attacks Database

Description

Decryption of malicious PBES2 JWE objects can consume unbounded system resources The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/square/go-jose	>=0 <2.6.2	2.6.2
go	github.com/go-jose/go-jose/v3	>=0 <3.0.1	3.0.1

Aliases

1. GCVE-GHSA-2c7c-3mj9-8fqh

References

1. https://github.com/go-jose/go-jose/issues/642. https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e505683. https://github.com/go-jose/go-jose/commit/a3d307244c3bc50b25a71aa0688764c32ec419c7

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.