{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49290", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-24T16:45:24.313Z", "datePublished": "2023-12-04T23:42:53.061Z", "dateUpdated": "2024-08-02T21:53:45.354Z"}, "containers": {"cna": {"title": "Malicious parameters can cause a denial of service in lestrrat-go/jwx", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf"}, {"name": "https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c", "tags": ["x_refsource_MISC"], "url": "https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c"}], "affected": [{"vendor": "lestrrat-go", "product": "jwx", "versions": [{"version": "< 1.2.27", "status": "affected"}, {"version": ">= 2.0.0, < 2.0.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-04T23:42:53.061Z"}, "descriptions": [{"lang": "en", "value": "lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a denial of service. This vulnerability has been addressed in commit `64f2a229b` which has been included in release version 1.2.27 and 2.0.18. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-7f9x-gw85-8grf", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:53:45.354Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf"}, {"name": "https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lestrrat-go:jwx:*:*:*:*:*:*:*:*", "matchCriteriaId": "D883F8E3-02A2-4BC4-ADB3-F420624DD720", "versionEndExcluding": "1.2.27", "vulnerable": true}, {"criteria": "cpe:2.3:a:lestrrat-go:jwx:*:*:*:*:*:*:*:*", "matchCriteriaId": "566A6052-A735-4FDB-975D-47C594210E70", "versionEndExcluding": "2.0.18", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a denial of service. This vulnerability has been addressed in commit `64f2a229b` which has been included in release version 1.2.27 and 2.0.18. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "lestrrat-go/jwx es un m\u00f3dulo Go que implementa varias tecnolog\u00edas JWx (JWA/JWE/JWK/JWS/JWT, tambi\u00e9n conocidas como JOSE). Un par\u00e1metro p2c establecido demasiado alto en el algoritmo PBES2-* de JWE podr\u00eda provocar una denegaci\u00f3n de servicio. Los algoritmos de gesti\u00f3n de claves JWE basados en PBKDF2 requieren un par\u00e1metro de encabezado JOSE llamado p2c (PBES2 Count). Este par\u00e1metro dicta el n\u00famero de iteraciones de PBKDF2 necesarias para derivar una clave de envoltura CEK. Su objetivo principal es ralentizar intencionalmente la funci\u00f3n de derivaci\u00f3n de claves, haciendo que los ataques de fuerza bruta a contrase\u00f1as y de diccionario requieran m\u00e1s recursos. Por lo tanto, si un atacante establece el par\u00e1metro p2c en JWE en un n\u00famero muy grande, puede provocar un gran consumo computacional, lo que resultar\u00e1 en una denegaci\u00f3n de servicio. Esta vulnerabilidad se solucion\u00f3 en el commit `64f2a229b` que se incluy\u00f3 en las versiones 1.2.27 y 2.0.18. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-49290", "lastModified": "2024-11-21T08:33:11.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-05T00:15:09.190", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "jwx: Malicious parameters in JWE can cause denial of service", "id": "2252905", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252905"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a denial of service. This vulnerability has been addressed in commit `64f2a229b` which has been included in release version 1.2.27 and 2.0.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "A flaw was found in JWX. This issue occurs when passing crafted input to the JWE key management algorithm, which may result in a denial of service by using an excessive amount of CPU resources."], "name": "CVE-2023-49290", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Will not fix", "package_name": "openshift-service-mesh/istio-cni-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Will not fix", "package_name": "openshift-service-mesh/pilot-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Will not fix", "package_name": "openshift-service-mesh/proxyv2-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/odf-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2023-12-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-49290\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-49290\nhttps://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c\nhttps://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf"], "threat_severity": "Moderate", "upstream_fix": "jwx 2.0.18, jwx 1.2.27"}