High severityNVD Advisory· Published Feb 11, 2024· Updated Oct 30, 2024
CVE-2023-52428
CVE-2023-52428
Description
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.nimbusds:nimbus-jose-jwtMaven | < 9.37.2 | 9.37.2 |
Affected products
42- osv-coords41 versionspkg:apk/chainguard/celeborn-0.5pkg:apk/chainguard/celeborn-0.6pkg:apk/chainguard/dependency-trackpkg:apk/chainguard/dependency-track-bundledpkg:apk/chainguard/druidpkg:apk/chainguard/elasticsearch-7pkg:apk/chainguard/elasticsearch-7-bitnamipkg:apk/chainguard/elasticsearch-7-iamguardedpkg:apk/chainguard/elasticsearch-8pkg:apk/chainguard/elasticsearch-8-bitnamipkg:apk/chainguard/elasticsearch-8-configpkg:apk/chainguard/elasticsearch-8-iamguardedpkg:apk/chainguard/elasticsearch-configpkg:apk/chainguard/hadoop-client-modulespkg:apk/chainguard/hivepkg:apk/chainguard/hive-compatpkg:apk/chainguard/sonarqube-10pkg:apk/chainguard/sonarqube-10-docker-compatpkg:apk/chainguard/sonarqube-10-scriptspkg:apk/chainguard/stargatepkg:apk/chainguard/tezpkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/wolfi/celeborn-0.5pkg:apk/wolfi/celeborn-0.6pkg:apk/wolfi/dependency-trackpkg:apk/wolfi/dependency-track-bundledpkg:apk/wolfi/druidpkg:apk/wolfi/sonarqube-10pkg:apk/wolfi/sonarqube-10-docker-compatpkg:apk/wolfi/sonarqube-10-scriptspkg:apk/wolfi/tezpkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:maven/com.nimbusds/nimbus-jose-jwt
< 0.5.4-r26+ 40 more
- (no CPE)range: < 0.5.4-r26
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 4.10.1-r3
- (no CPE)range: < 4.10.1-r3
- (no CPE)range: < 37.0.0-r14
- (no CPE)range: < 7.17.20-r0
- (no CPE)range: < 7.17.20-r0
- (no CPE)range: < 7.17.20-r0
- (no CPE)range: < 8.13.2-r1
- (no CPE)range: < 8.13.2-r1
- (no CPE)range: < 8.13.2-r1
- (no CPE)range: < 8.13.2-r1
- (no CPE)range: < 8.13.2-r1
- (no CPE)range: < 3.3.6-r7
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 1.0.79-r2
- (no CPE)range: < 0.10.4-r6
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 0.5.4-r26
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 4.10.1-r3
- (no CPE)range: < 4.10.1-r3
- (no CPE)range: < 37.0.0-r14
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 25.1.0.102122-r0
- (no CPE)range: < 0.10.4-r6
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 9.37.2
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-gvpg-vgmx-xg6wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-52428ghsaADVISORY
- bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77eghsaWEB
- bitbucket.org/connect2id/nimbus-jose-jwt/issues/526ghsaWEB
- connect2id.com/products/nimbus-jose-jwtghsaWEB
- bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/mitre
News mentions
0No linked articles in our index yet.