logo

Database

Insecurely generated token In org.bitbucket.b_c:jose4j

Description

jose4j is vulnerable to DoS via compressed JWE content In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-293712. NVD-2024-293713. OSV-2024-293714. OSV-DEBIAN-2024-293715. GCVE-2024-293716. SECURITY-TRACKER-CVE-2024-29371

References

1. https://bitbucket.org/b_c/jose4j/commits/19a90a64c47bb07c4aa5462f1316d5c293d81fcf2. https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.