Moderate severityNVD Advisory· Published Mar 6, 2024· Updated Sep 9, 2024
JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
CVE-2024-28102
Description
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jwcryptoPyPI | < 1.5.6 | 1.5.6 |
Affected products
16- osv-coords15 versionspkg:apk/chainguard/py3.10-jwcryptopkg:apk/chainguard/py3.11-jwcryptopkg:apk/chainguard/py3.12-jwcryptopkg:apk/chainguard/py3.13-jwcryptopkg:apk/chainguard/py3-jwcryptopkg:apk/chainguard/py3-supported-jwcryptopkg:apk/wolfi/py3.10-jwcryptopkg:apk/wolfi/py3.11-jwcryptopkg:apk/wolfi/py3.12-jwcryptopkg:apk/wolfi/py3.13-jwcryptopkg:apk/wolfi/py3-jwcryptopkg:apk/wolfi/py3-supported-jwcryptopkg:pypi/jwcryptopkg:rpm/almalinux/python3-jwcryptopkg:rpm/rocky-linux/python-jwcrypto?distro=rocky-linux-9-x86-64&epoch=0
< 1.5.6-r0+ 14 more
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6-r0
- (no CPE)range: < 1.5.6
- (no CPE)range: < 0.8-5.el9_4
- (no CPE)range: < 0:0.8-5.el9_4
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-j857-7rvv-vj97ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28102ghsaADVISORY
- github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831fghsax_refsource_MISCWEB
- github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97ghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00026.htmlghsaWEB
- www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103ghsaWEB
News mentions
0No linked articles in our index yet.