CVE-2024-28176 — MEDIUM (4.9)

Q: How severe is CVE-2024-28176?

CVE-2024-28176 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-28176?

Check the references section above for vendor advisories and patch information. Affected products include: Jose Project Jose, Fedoraproject Fedora.

Vulnerability Description

jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.

CVSS Score

4.9

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Jose Project	Jose	< 2.0.7
Fedoraproject	Fedora	>= 38, <= 40

Related Weaknesses (CWE)

CWE-400

References

https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314Patch
https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8bPatch
https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882qVendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314Patch
https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8bPatch
https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882qVendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory

FAQ

What is CVE-2024-28176?

CVE-2024-28176 is a vulnerability with a CVSS score of 4.9 (MEDIUM). jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set...

How severe is CVE-2024-28176?

CVE-2024-28176 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-28176?

Check the references section above for vendor advisories and patch information. Affected products include: Jose Project Jose, Fedoraproject Fedora.