jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-09T19:18:03.742Z

Updated: 2024-08-01T22:27:36.099Z

Reserved: 2023-12-29T16:10:20.367Z

Link: CVE-2024-21664

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2024-01-09T20:15:43.740

Modified: 2024-11-21T08:54:49.440

Link: CVE-2024-21664

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-01-09T00:00:00Z

Links: CVE-2024-21664 - Bugzilla