Moderate severityNVD Advisory· Published Apr 25, 2024· Updated Sep 5, 2024
CVE-2024-33664
CVE-2024-33664
Description
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
python-josePyPI | < 3.4.0 | 3.4.0 |
Affected products
6- python-jose/python-josedescription
- osv-coords5 versionspkg:apk/chainguard/awxpkg:pypi/python-josepkg:rpm/opensuse/python-cryptography&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-python-jose&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-python-jose&distro=SUSE%20Package%20Hub%2015%20SP5
< 24.6.1-r19+ 4 more
- (no CPE)range: < 24.6.1-r19
- (no CPE)range: < 3.4.0
- (no CPE)range: < 3.3.0-3.1
- (no CPE)range: < 3.0.1-bp155.3.6.1
- (no CPE)range: < 3.0.1-bp155.3.6.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-cjwg-qfpm-7377ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-33664ghsaADVISORY
- github.com/mpdavis/python-jose/issues/344ghsaWEB
- github.com/mpdavis/python-jose/pull/345ghsaWEB
- github.com/mpdavis/python-jose/releases/tag/3.4.0ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2024-233.yamlghsaWEB
- www.vicarius.io/vsociety/posts/jwt-bomb-in-python-jose-cve-2024-33664ghsaWEB
News mentions
0No linked articles in our index yet.