Upstream information

CVE-2024-28102 at MITRE

Description

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  SUSE
Base Score 6.8
Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Changed
Confidentiality Impact None
Integrity Impact None
Availability Impact High
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1221230 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
SUSE Liberty Linux 9
  • python3-jwcrypto >= 0.8-5.el9_4
Patchnames:
RHSA-2024:2559
openSUSE Tumbleweed
  • python310-jwcrypto >= 1.5.6-2.1
  • python311-jwcrypto >= 1.5.6-2.1
  • python312-jwcrypto >= 1.5.6-2.1
  • python39-jwcrypto >= 1.5.6-2.1
Patchnames:
openSUSE-Tumbleweed-2024-13798


SUSE Timeline for this CVE

CVE page created: Sun Mar 10 13:00:13 2024
CVE page last modified: Tue Sep 3 19:34:22 2024