Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2024-28180

Опубликовано: 09 мар. 2024
Источник: debian

Описание

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
golang-github-go-jose-go-josefixed4.0.1-1package
golang-gopkg-square-go-jose.v2fixed2.6.3-1package
golang-gopkg-square-go-jose.v2no-dsabookwormpackage
golang-gopkg-square-go-jose.v2no-dsabullseyepackage

Примечания

  • https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g

  • https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 (v2.6.3)

  • https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a (v3.0.3)

  • https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 (v4.0.1)

Связанные уязвимости

ubuntu логотип

CVE-2024-28180

CVSS3: 4.3
ubuntu
больше 1 года назад

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

redhat логотип

CVE-2024-28180

CVSS3: 4.3
redhat
больше 1 года назад

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

nvd логотип

CVE-2024-28180

CVSS3: 4.3
nvd
больше 1 года назад

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

msrc логотип

CVE-2024-28180

CVSS3: 4.3
msrc
10 месяцев назад

Описание отсутствует

suse-cvrf логотип

SUSE-SU-2025:0066-1

suse-cvrf
7 месяцев назад

Security update for apptainer