{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-52428", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T22:55:41.674Z", "dateReserved": "2024-02-11T00:00:00", "datePublished": "2024-02-11T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-02-11T04:43:14.335876"}, "descriptions": [{"lang": "en", "value": "In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/"}, {"url": "https://connect2id.com/products/nimbus-jose-jwt"}, {"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52428", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T16:48:17.652106Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:23:52.368Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:55:41.674Z"}, "title": "CVE Program Container", "references": [{"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/", "tags": ["x_transferred"]}, {"url": "https://connect2id.com/products/nimbus-jose-jwt", "tags": ["x_transferred"]}, {"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/", "tags": ["x_transferred"]}, {"url": "https://connect2id.com/products/nimbus-jose-jwt", "tags": ["x_transferred"]}, {"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:55:41.674Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52428", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T16:48:17.652106Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:11.753Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/"}, {"url": "https://connect2id.com/products/nimbus-jose-jwt"}, {"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e"}], "descriptions": [{"lang": "en", "value": "In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-02-11T04:43:14.335876"}}}, "cveMetadata": {"cveId": "CVE-2023-52428", "state": "PUBLISHED", "dateUpdated": "2024-08-02T22:55:41.674Z", "dateReserved": "2024-02-11T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-02-11T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component."}, {"lang": "es", "value": "En Connect2id Nimbus JOSE+JWT anterior a 9.37.2, un atacante puede provocar una denegaci\u00f3n de servicio (consumo de recursos) a trav\u00e9s de un valor de encabezado JWE p2c grande (tambi\u00e9n conocido como recuento de iteraciones) para el componente PasswordBasedDecrypter (PBKDF2)."}], "id": "CVE-2023-52428", "lastModified": "2024-02-11T22:29:15.837", "metrics": {}, "published": "2024-02-11T05:15:08.383", "references": [{"source": "cve@mitre.org", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e"}, {"source": "cve@mitre.org", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/"}, {"source": "cve@mitre.org", "url": "https://connect2id.com/products/nimbus-jose-jwt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:6883", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:3.20.7", "package": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apache Camel 3.20.7 for Spring Boot", "release_date": "2024-09-19T00:00:00Z"}], "bugzilla": {"description": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service", "id": "2309764", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.", "A vulnerability was found in the Nimbus Jose JWT package. This issue could allow an attacker to use a malicious large JWE p2c header value for PasswordBasedDecrypter and cause a Denial of Service (DoS)."], "name": "CVE-2023-52428", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apache Camel for Quarkus"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat JBoss A-MQ 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "streams for Apache Kafka"}], "public_date": "2024-02-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52428\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52428"], "threat_severity": "Important"}