CVE-2024-28180 — MEDIUM (4.3)

Q: How severe is CVE-2024-28180?

CVE-2024-28180 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-28180?

Check the references section above for vendor advisories and patch information. Affected products include: Go-Jose Project Go-Jose, Fedoraproject Fedora.

Vulnerability Description

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Go-Jose Project	Go-Jose	>= 2.0.0, < 2.6.3
Fedoraproject	Fedora	>= 38, <= 40

Related Weaknesses (CWE)

CWE-409

References

https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f2Patch
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b2Patch
https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf963395Patch
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6gVendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f2Patch
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b2Patch

FAQ

What is CVE-2024-28180?

CVE-2024-28180 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memo...

How severe is CVE-2024-28180?

CVE-2024-28180 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-28180?

Check the references section above for vendor advisories and patch information. Affected products include: Go-Jose Project Go-Jose, Fedoraproject Fedora.