Security
Headlines

Headlines Latest CVEs

Headline

GHSA-2c7c-3mj9-8fqh: Decryption of malicious PBES2 JWE objects can consume unbounded system resources

The go-jose package is subject to a “billion hashes attack” causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

1 year ago

GitHub Advisory Database
GitHub Reviewed
GHSA-2c7c-3mj9-8fqh

Decryption of malicious PBES2 JWE objects can consume unbounded system resources

Moderate severity GitHub Reviewed Published Nov 21, 2023 to the GitHub Advisory Database • Updated Nov 21, 2023

Package

gomod github.com/go-jose/go-jose/v3 (Go)

Affected versions

< 3.0.1

gomod github.com/square/go-jose (Go)

The go-jose package is subject to a “billion hashes attack” causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

References

go-jose/go-jose#64
go-jose/go-jose@65351c2

Published to the GitHub Advisory Database

Nov 21, 2023

Last updated

Nov 21, 2023

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation

1 day ago

GHSA-vprm-27pv-jp3w: Vaultwarden authenticated reflected cross-site scripting (XSS) vulnerability

1 day ago

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability

1 day ago

GHSA-5xh2-23cc-5jc6: Strawberry GraphQL has type resolution vulnerability in node interface that allows potential data leakage through incorrect type resolution

1 day ago

GHSA-675f-rq2r-jw82: JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

1 day ago