CVE-2025-27144 - Vulnerability Details

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Redhat	Advanced Cluster Security Enterprise Linux Logging Openshift Openshift Custom Metrics Autoscaler Openshift Distributed Tracing Rhel Eus Trusted Artifact Signer

No data.

Package	CPE	Advisory	Released Date
Red Hat Advanced Cluster Security 4.6
advanced-cluster-security/rhacs-central-db-rhel8:4.6.4-4	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.6.4-3	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.4-3	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.6.4-7	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.6.4-7	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.6.4-4	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.6.4-3	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.4-4	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.4-4	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.6.4-4	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.4-4	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.4-4	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.4-6	cpe:/a:redhat:advanced_cluster_security:4.6::el8	RHSA-2025:3439	2025-04-01T00:00:00Z
Red Hat Advanced Cluster Security 4.7
advanced-cluster-security/rhacs-central-db-rhel8:4.7.1-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-collector-rhel8:4.7.1-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-main-rhel8:4.7.1-5	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-operator-bundle:4.7.1-3	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-rhel8-operator:4.7.1-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-roxctl-rhel8:4.7.1-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-rhel8:4.7.1-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.7.1-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-rhel8:4.7.1-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-slim-rhel8:4.7.1-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.7.1-2	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
advanced-cluster-security/rhacs-scanner-v4-rhel8:4.7.1-3	cpe:/a:redhat:advanced_cluster_security:4.7::el8	RHSA-2025:3438	2025-04-01T00:00:00Z
Red Hat Enterprise Linux 9
opentelemetry-collector-0:0.107.0-8.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:3335	2025-03-27T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
opentelemetry-collector-0:0.107.0-7.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:3593	2025-04-03T00:00:00Z
Red Hat OpenShift Container Platform 4.16
openshift4/ose-aws-pod-identity-webhook-rhel9:v4.16.0-202503170806.p0.g459c531.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2025:3301	2025-04-03T00:00:00Z
openshift4/ose-azure-workload-identity-webhook-rhel9:v4.16.0-202503210503.p0.ga754496.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2025:3301	2025-04-03T00:00:00Z
openshift4/ose-cloud-credential-rhel9-operator:v4.16.0-202503191806.p0.gaa7ad99.assembly.stream.el9	cpe:/a:redhat:openshift:4.16::el9	RHSA-2025:3301	2025-04-03T00:00:00Z
Red Hat OpenShift Container Platform 4.17
podman-5:5.2.2-4.rhaos4.17.el8	cpe:/a:redhat:openshift:4.17::el8	RHSA-2025:3061	2025-03-27T00:00:00Z
skopeo-2:1.16.1-1.rhaos4.17.el8	cpe:/a:redhat:openshift:4.17::el8	RHSA-2025:3061	2025-03-27T00:00:00Z
openshift4/ose-aws-pod-identity-webhook-rhel9:v4.17.0-202503142136.p0.g80efc4e.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:3059	2025-03-26T00:00:00Z
openshift4/ose-azure-workload-identity-webhook-rhel9:v4.17.0-202503181705.p0.g0e19a4f.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:3059	2025-03-26T00:00:00Z
ose-cloud-credential-operator-container-v4.17.0-202503182004.p0.g3ba961d.assembly.stream.el9	cpe:/a:redhat:openshift:4.17::el9	RHSA-2025:3059	2025-03-26T00:00:00Z
Red Hat OpenShift Container Platform 4.18
openshift4/ose-aws-pod-identity-webhook-rhel9:v4.18.0-202503130333.p0.gf54f9a1.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2025:3066	2025-03-25T00:00:00Z
openshift4/ose-azure-workload-identity-webhook-rhel9:v4.18.0-202503172004.p0.gd1dc8ab.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2025:3066	2025-03-25T00:00:00Z
openshift4/ose-cloud-credential-rhel9-operator:v4.18.0-202503181802.p0.g7785eb4.assembly.stream.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2025:3066	2025-03-25T00:00:00Z
podman-5:5.2.2-6.rhaos4.18.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2025:3068	2025-03-25T00:00:00Z
skopeo-2:1.16.1-1.rhaos4.18.el9	cpe:/a:redhat:openshift:4.18::el9	RHSA-2025:3068	2025-03-25T00:00:00Z
RHOL-6.0-RHEL-9
openshift-logging/cluster-logging-operator-bundle:v6.0.6-8	cpe:/a:redhat:logging:6.0::el9	RHSA-2025:3132	2025-03-26T00:00:00Z
openshift-logging/cluster-logging-rhel9-operator:v6.0.6-4	cpe:/a:redhat:logging:6.0::el9	RHSA-2025:3132	2025-03-26T00:00:00Z
openshift-logging/eventrouter-rhel9:v0.4.0-357	cpe:/a:redhat:logging:6.0::el9	RHSA-2025:3132	2025-03-26T00:00:00Z
openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-338	cpe:/a:redhat:logging:6.0::el9	RHSA-2025:3132	2025-03-26T00:00:00Z
openshift-logging/logging-loki-rhel9:v3.4.2-7	cpe:/a:redhat:logging:6.0::el9	RHSA-2025:3132	2025-03-26T00:00:00Z
openshift-logging/loki-operator-bundle:v6.0.6-10	cpe:/a:redhat:logging:6.0::el9	RHSA-2025:3132	2025-03-26T00:00:00Z
openshift-logging/loki-rhel9-operator:v6.0.6-6	cpe:/a:redhat:logging:6.0::el9	RHSA-2025:3132	2025-03-26T00:00:00Z
openshift-logging/lokistack-gateway-rhel9:v0.1.0-753	cpe:/a:redhat:logging:6.0::el9	RHSA-2025:3132	2025-03-26T00:00:00Z
openshift-logging/opa-openshift-rhel9:v0.1.0-370	cpe:/a:redhat:logging:6.0::el9	RHSA-2025:3132	2025-03-26T00:00:00Z
openshift-logging/vector-rhel9:v0.37.1-35	cpe:/a:redhat:logging:6.0::el9	RHSA-2025:3132	2025-03-26T00:00:00Z
RHOL-6.1-RHEL-9
openshift-logging/cluster-logging-operator-bundle:v6.1.4-10	cpe:/a:redhat:logging:6.1::el9	RHSA-2025:3131	2025-03-26T00:00:00Z
openshift-logging/cluster-logging-rhel9-operator:v6.1.4-5	cpe:/a:redhat:logging:6.1::el9	RHSA-2025:3131	2025-03-26T00:00:00Z
openshift-logging/eventrouter-rhel9:v0.4.0-356	cpe:/a:redhat:logging:6.1::el9	RHSA-2025:3131	2025-03-26T00:00:00Z
openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-337	cpe:/a:redhat:logging:6.1::el9	RHSA-2025:3131	2025-03-26T00:00:00Z
openshift-logging/logging-loki-rhel9:v3.4.2-6	cpe:/a:redhat:logging:6.1::el9	RHSA-2025:3131	2025-03-26T00:00:00Z
openshift-logging/loki-operator-bundle:v6.1.4-13	cpe:/a:redhat:logging:6.1::el9	RHSA-2025:3131	2025-03-26T00:00:00Z
openshift-logging/loki-rhel9-operator:v6.1.4-7	cpe:/a:redhat:logging:6.1::el9	RHSA-2025:3131	2025-03-26T00:00:00Z
openshift-logging/lokistack-gateway-rhel9:v0.1.0-752	cpe:/a:redhat:logging:6.1::el9	RHSA-2025:3131	2025-03-26T00:00:00Z
openshift-logging/opa-openshift-rhel9:v0.1.0-369	cpe:/a:redhat:logging:6.1::el9	RHSA-2025:3131	2025-03-26T00:00:00Z
openshift-logging/vector-rhel9:v0.37.1-34	cpe:/a:redhat:logging:6.1::el9	RHSA-2025:3131	2025-03-26T00:00:00Z
Custom Metric Autoscaler operator for Red Hat Openshift 2.15
registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9:sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303	cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.15::el9	RHSA-2025:3501	2025-04-01T00:00:00Z
Red Hat OpenShift distributed tracing 3.5.1
registry.redhat.io/rhosdt/opentelemetry-collector-rhel8:sha256:360b97d5055aba77fb7cc5c029e910be7e7eb10672df530eca2c91346da2f2b0	cpe:/a:redhat:openshift_distributed_tracing:3.5::el8	RHSA-2025:3743	2025-04-09T00:00:00Z
Red Hat Trusted Artifact Signer 1.1
registry.redhat.io/rhtas/cosign-rhel9:sha256:2a2aa8c1a224419be83afe46b0226e168927c19c8bd3f9c4e562e5e5caebb6a9	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3820	2025-04-10T00:00:00Z
registry.redhat.io/rhtas/gitsign-rhel9:sha256:bef55c43000f266cdb7cf6ea525f7c52f2ee532b7b487ae9752aac31ebded40f	cpe:/a:redhat:trusted_artifact_signer:1.1::el9	RHSA-2025:3820	2025-04-10T00:00:00Z

References

Link	Providers
https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22
https://github.com/go-jose/go-jose/releases/tag/v4.0.5
https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78
https://nvd.nist.gov/vuln/detail/CVE-2025-27144
https://www.cve.org/CVERecord?id=CVE-2025-27144

History

Fri, 11 Apr 2025 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat trusted Artifact Signer
CPEs		cpe:/a:redhat:trusted_artifact_signer:1.1::el9
Vendors & Products		Redhat trusted Artifact Signer

Thu, 10 Apr 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Distributed Tracing
CPEs		cpe:/a:redhat:openshift_distributed_tracing:3.5::el8
Vendors & Products		Redhat openshift Distributed Tracing

Fri, 04 Apr 2025 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:openshift:4.16::el9 cpe:/a:redhat:rhel_eus:9.4
Vendors & Products		Redhat rhel Eus

Thu, 03 Apr 2025 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Custom Metrics Autoscaler
CPEs		cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.15::el9
Vendors & Products		Redhat openshift Custom Metrics Autoscaler

Wed, 02 Apr 2025 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat advanced Cluster Security
CPEs		cpe:/a:redhat:advanced_cluster_security:4.6::el8 cpe:/a:redhat:advanced_cluster_security:4.7::el8
Vendors & Products		Redhat advanced Cluster Security

Fri, 28 Mar 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat enterprise Linux

Thu, 27 Mar 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat logging
CPEs		cpe:/a:redhat:logging:6.0::el9 cpe:/a:redhat:logging:6.1::el9 cpe:/a:redhat:openshift:4.17::el8 cpe:/a:redhat:openshift:4.17::el9
Vendors & Products		Redhat logging

Wed, 26 Mar 2025 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat openshift
CPEs		cpe:/a:redhat:openshift:4.18::el9
Vendors & Products		Redhat Redhat openshift

Tue, 25 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 25 Feb 2025 13:45:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-27144 https://www.cve.org/CVERecord?id=CVE-2025-27144
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Mon, 24 Feb 2025 22:30:00 +0000

Type	Values Removed	Values Added
Description		Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.
Title		Go JOSE's Parsing Vulnerable to Denial of Service
Weaknesses		CWE-770
References		https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22 https://github.com/go-jose/go-jose/releases/tag/v4.0.5 https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78
Metrics		cvssV4_0 `{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-02-24T22:22:22.863Z

Updated: 2025-02-25T14:27:04.978Z

Reserved: 2025-02-19T16:30:47.777Z

Link: CVE-2025-27144

Vulnrichment

Updated: 2025-02-25T14:27:00.794Z

NVD

Status : Received

Published: 2025-02-24T23:15:11.427

Modified: 2025-02-24T23:15:11.427

Link: CVE-2025-27144

Redhat

Severity : Moderate

Publid Date: 2025-02-24T22:22:22Z

Links: CVE-2025-27144 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27144", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-19T16:30:47.777Z", "datePublished": "2025-02-24T22:22:22.863Z", "dateUpdated": "2025-02-25T14:27:04.978Z"}, "containers": {"cna": {"title": "Go JOSE's Parsing Vulnerable to Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"}, {"name": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22"}, {"name": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5"}], "affected": [{"vendor": "go-jose", "product": "go-jose", "versions": [{"version": ">= 4.0.0, < 4.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-24T22:22:22.863Z"}, "descriptions": [{"lang": "en", "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters."}], "source": {"advisory": "GHSA-c6gw-w398-hv78", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-25T14:26:42.682392Z", "id": "CVE-2025-27144", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:27:04.978Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27144", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-25T14:26:42.682392Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:27:00.794Z"}}], "cna": {"title": "Go JOSE's Parsing Vulnerable to Denial of Service", "source": {"advisory": "GHSA-c6gw-w398-hv78", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "go-jose", "product": "go-jose", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.0.5"}]}], "references": [{"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78", "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22", "name": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5", "name": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-24T22:22:22.863Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27144", "state": "PUBLISHED", "dateUpdated": "2025-02-25T14:27:04.978Z", "dateReserved": "2025-02-19T16:30:47.777Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-24T22:22:22.863Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters."}], "id": "CVE-2025-27144", "lastModified": "2025-02-24T23:15:11.427", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-24T23:15:11.427", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22"}, {"source": "security-advisories@github.com", "url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.6.4-3", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.4-3", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.6.4-7", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.6.4-7", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.6.4-3", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.4-6", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.7.1-5", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.7.1-3", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.7.1-3", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3335", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "opentelemetry-collector-0:0.107.0-8.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3593", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "opentelemetry-collector-0:0.107.0-7.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:3301", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-aws-pod-identity-webhook-rhel9:v4.16.0-202503170806.p0.g459c531.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:3301", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-azure-workload-identity-webhook-rhel9:v4.16.0-202503210503.p0.ga754496.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:3301", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-cloud-credential-rhel9-operator:v4.16.0-202503191806.p0.gaa7ad99.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:3061", "cpe": "cpe:/a:redhat:openshift:4.17::el8", "package": "podman-5:5.2.2-4.rhaos4.17.el8", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3061", "cpe": "cpe:/a:redhat:openshift:4.17::el8", "package": "skopeo-2:1.16.1-1.rhaos4.17.el8", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3059", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-aws-pod-identity-webhook-rhel9:v4.17.0-202503142136.p0.g80efc4e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3059", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-azure-workload-identity-webhook-rhel9:v4.17.0-202503181705.p0.g0e19a4f.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3059", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "ose-cloud-credential-operator-container-v4.17.0-202503182004.p0.g3ba961d.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3066", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-aws-pod-identity-webhook-rhel9:v4.18.0-202503130333.p0.gf54f9a1.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3066", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-azure-workload-identity-webhook-rhel9:v4.18.0-202503172004.p0.gd1dc8ab.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3066", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-cloud-credential-rhel9-operator:v4.18.0-202503181802.p0.g7785eb4.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3068", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "podman-5:5.2.2-6.rhaos4.18.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3068", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "skopeo-2:1.16.1-1.rhaos4.18.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/cluster-logging-operator-bundle:v6.0.6-8", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/cluster-logging-rhel9-operator:v6.0.6-4", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/eventrouter-rhel9:v0.4.0-357", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-338", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/logging-loki-rhel9:v3.4.2-7", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/loki-operator-bundle:v6.0.6-10", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/loki-rhel9-operator:v6.0.6-6", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/lokistack-gateway-rhel9:v0.1.0-753", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/opa-openshift-rhel9:v0.1.0-370", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/vector-rhel9:v0.37.1-35", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/cluster-logging-operator-bundle:v6.1.4-10", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/cluster-logging-rhel9-operator:v6.1.4-5", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/eventrouter-rhel9:v0.4.0-356", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-337", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/logging-loki-rhel9:v3.4.2-6", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/loki-operator-bundle:v6.1.4-13", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/loki-rhel9-operator:v6.1.4-7", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/lokistack-gateway-rhel9:v0.1.0-752", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/opa-openshift-rhel9:v0.1.0-369", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/vector-rhel9:v0.37.1-34", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3501", "cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.15::el9", "package": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9:sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3743", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8:sha256:360b97d5055aba77fb7cc5c029e910be7e7eb10672df530eca2c91346da2f2b0", "product_name": "Red Hat OpenShift distributed tracing 3.5.1", "release_date": "2025-04-09T00:00:00Z"}, {"advisory": "RHSA-2025:3820", "cpe": "cpe:/a:redhat:trusted_artifact_signer:1.1::el9", "package": "registry.redhat.io/rhtas/cosign-rhel9:sha256:2a2aa8c1a224419be83afe46b0226e168927c19c8bd3f9c4e562e5e5caebb6a9", "product_name": "Red Hat Trusted Artifact Signer 1.1", "release_date": "2025-04-10T00:00:00Z"}, {"advisory": "RHSA-2025:3820", "cpe": "cpe:/a:redhat:trusted_artifact_signer:1.1::el9", "package": "registry.redhat.io/rhtas/gitsign-rhel9:sha256:bef55c43000f266cdb7cf6ea525f7c52f2ee532b7b487ae9752aac31ebded40f", "product_name": "Red Hat Trusted Artifact Signer 1.1", "release_date": "2025-04-10T00:00:00Z"}], "bugzilla": {"description": "go-jose: Go JOSE's Parsing Vulnerable to Denial of Service", "id": "2347423", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347423"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.", "A flaw was found in GO-JOSE. In affected versions, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code uses strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. This issue could be exploied by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service."], "mitigation": {"lang": "en:us", "value": "As a workaround, applications can pre-validate that payloads being passed to Go JOSE do not contain an excessive number of `.` characters."}, "name": "CVE-2025-27144", "package_state": [{"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Affected", "package_name": "cert-manager-operator-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Affected", "package_name": "jetstack-cert-manager-acmesolver-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Affected", "package_name": "jetstack-cert-manager-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Not affected", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Not affected", "package_name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/lokistack-gateway-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-agent-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-controller-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-8-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-9-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/hypershift-cli-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/hypershift-rhel9-operator", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Affected", "package_name": "oadp/oadp-mustgather-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines-client", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "authorino-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-must-gather-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:hybrid_cloud_gateway:1::el9", "fix_state": "Affected", "package_name": "authorino-container", "product_name": "Red Hat Connectivity Link"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "skopeo", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-node-agent-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-cli", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-cli-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-deployer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-hypershift-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-olm-catalogd-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-olm-operator-controller-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-operator-framework-tools-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-operator-lifecycle-manager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-operator-registry-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-tools-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "redhat/redhat-operator-index", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-metrics-exporter-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "opentelemetry-rhel8-operator", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "opentelemetry-target-allocator-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/dex-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/gitops-operator-bundle", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-argocd-rhel9-container", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_service_on_aws:1", "fix_state": "Affected", "package_name": "rosa", "product_name": "Red Hat OpenShift on AWS"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "kubevirt-tekton-tasks-test-rhel9-container", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-builder-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "createctconfig-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "ctlog-managectroots-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "fulcio-createcerts-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "trillian-createdb-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "tuf-server-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2025-02-24T22:22:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-27144\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27144\nhttps://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22\nhttps://github.com/go-jose/go-jose/releases/tag/v4.0.5\nhttps://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object