{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-51775", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-14T18:42:03.439Z", "dateReserved": "2023-12-25T00:00:00", "datePublished": "2023-12-25T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-12-25T21:16:04.514276"}, "descriptions": [{"lang": "en", "value": "The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://bitbucket.org/b_c/jose4j/issues/212"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:48:11.248Z"}, "title": "CVE Program Container", "references": [{"url": "https://bitbucket.org/b_c/jose4j/issues/212", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "affected": [{"vendor": "jose4j_project", "product": "jose4j", "cpes": ["cpe:2.3:a:jose4j_project:jose4j:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.9.4", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-03-01T18:51:39.813007Z", "id": "CVE-2023-51775", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-14T18:42:03.439Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bitbucket.org/b_c/jose4j/issues/212", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:48:11.248Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-51775", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-01T18:51:39.813007Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jose4j_project:jose4j:*:*:*:*:*:*:*:*"], "vendor": "jose4j_project", "product": "jose4j", "versions": [{"status": "affected", "version": "0", "lessThan": "0.9.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-14T18:41:55.268Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://bitbucket.org/b_c/jose4j/issues/212"}], "descriptions": [{"lang": "en", "value": "The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-12-25T21:16:04.514276"}}}, "cveMetadata": {"cveId": "CVE-2023-51775", "state": "PUBLISHED", "dateUpdated": "2024-08-14T18:42:03.439Z", "dateReserved": "2023-12-25T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-12-25T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value."}, {"lang": "es", "value": "El componente jose4j anterior a 0.9.4 para Java permite a los atacantes provocar una denegaci\u00f3n de servicio (consumo de CPU) mediante un valor grande de p2c (tambi\u00e9n conocido como PBES2 Count)."}], "id": "CVE-2023-51775", "lastModified": "2024-08-14T19:35:15.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-02-29T01:42:05.637", "references": [{"source": "cve@mitre.org", "url": "https://bitbucket.org/b_c/jose4j/issues/212"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3550", "cpe": "cpe:/a:redhat:rhboac_hawtio:4.0.0", "package": "jose4j", "product_name": "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:4873", "cpe": "cpe:/a:redhat:apicurio_registry:2.6", "package": "jose4j", "product_name": "Red Hat build of Apicurio Registry 2.6.1 GA", "release_date": "2024-07-25T00:00:00Z"}, {"advisory": "RHSA-2024:4392", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "jose4j", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4386", "cpe": "cpe:/a:redhat:jbosseapxp", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-operator-bundle:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-rhel8-operator:1.33.0-3", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-swf-builder-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-swf-devmode-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}], "bugzilla": {"description": "jose4j: denial of service via specially crafted JWE", "id": "2266921", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266921"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.", "A flaw was found in the jose.4.j (jose4j) library. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource-intensive. However, if an attacker sets the p2c parameter in JWE to a large number, it can cause high computational consumption, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-51775", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Not affected", "package_name": "jenkins-2-plugins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "jose4j", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "jose4j", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "org.bitbucket.b_c/jose4j", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "jose4j", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "jose4j", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "jose4j", "product_name": "Red Hat Integration Change Data Capture"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "jose4j", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "jose4j", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "jose4j", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "jose4j", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "jose4j", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "jose4j", "product_name": "streams for Apache Kafka"}], "public_date": "2024-02-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-51775\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-51775"], "statement": "The vulnerability in the jose4j library, where the \"p2c\" parameter in PBKDF2-based JWE key management algorithms can be manipulated to induce high computational consumption, is classified as moderate severity due to its potential impact on service availability and resource exhaustion. By setting a large value for \"p2c\", an attacker can force the server to perform an excessive number of PBKDF2 iterations during key derivation. This results in increased CPU and memory usage, potentially leading to degraded performance or temporary denial of service.", "threat_severity": "Moderate", "upstream_fix": "jose4j 0.9.4"}