{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21664", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T16:10:20.367Z", "datePublished": "2024-01-09T19:18:03.742Z", "dateUpdated": "2024-08-01T22:27:36.099Z"}, "containers": {"cna": {"title": "Parsing JSON serialized payload without protected field can lead to segfault", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3"}, {"name": "https://github.com/lestrrat-go/jwx/commit/0e8802ce6842625845d651456493e7c87625601f", "tags": ["x_refsource_MISC"], "url": "https://github.com/lestrrat-go/jwx/commit/0e8802ce6842625845d651456493e7c87625601f"}, {"name": "https://github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65", "tags": ["x_refsource_MISC"], "url": "https://github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65"}, {"name": "https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd", "tags": ["x_refsource_MISC"], "url": "https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"}], "affected": [{"vendor": "lestrrat-go", "product": "jwx", "versions": [{"version": ">= 2.0.0, < 2.0.19", "status": "affected"}, {"version": ">= 1.0.8, < 1.2.28", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-05T15:37:42.909Z"}, "descriptions": [{"lang": "en", "value": "jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.\n"}], "source": {"advisory": "GHSA-pvcr-v8j8-j5q3", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.099Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3"}, {"name": "https://github.com/lestrrat-go/jwx/commit/0e8802ce6842625845d651456493e7c87625601f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lestrrat-go/jwx/commit/0e8802ce6842625845d651456493e7c87625601f"}, {"name": "https://github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65"}, {"name": "https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lestrrat-go:jwx:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BC42760-3661-434C-8568-AF4B49498561", "versionEndExcluding": "2.0.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.\n"}, {"lang": "es", "value": "jwx es un m\u00f3dulo Go que implementa varias tecnolog\u00edas JWx (JWA/JWE/JWK/JWS/JWT, tambi\u00e9n conocidas como JOSE). Llamar a `jws.Parse` con un payload serializado JSON donde el campo `signature` est\u00e1 presente mientras que `protected` est\u00e1 ausente puede provocar una desreferencia del puntero nulo. La vulnerabilidad se puede utilizar para bloquear/DOS un sistema que realiza la verificaci\u00f3n JWS. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 2.0.19."}], "id": "CVE-2024-21664", "lastModified": "2024-02-05T16:15:55.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-09T20:15:43.740", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/lestrrat-go/jwx/commit/0e8802ce6842625845d651456493e7c87625601f"}, {"source": "security-advisories@github.com", "url": "https://github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "jwx: parsing JSON serialized payload without protected field can lead to panic", "id": "2257608", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257608"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.", "A null pointer dereference vulnerability was found in the jwx/jws Go module. This issue arises when invoking \"jws.Parse\" with a JSON serialized payload containing a present signature field while the protected field is absentm, which may cause a system crash or initiate a denial of service (DOS) attack during JWS verification."], "name": "CVE-2024-21664", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Will not fix", "package_name": "openshift-service-mesh/istio-cni-rhel8", "product_name": "OpenShift Service Mesh 2"}], "public_date": "2024-01-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21664\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21664\nhttps://github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3"], "threat_severity": "Moderate", "upstream_fix": "github.com/lestrrat-go/jwx/v2/jws 2.0.19, github.com/lestrrat-go/jwx/v2/jws 1.2.28"}