Описание
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python-jose | removed | package |
Примечания
https://github.com/mpdavis/python-jose/issues/344
https://github.com/mpdavis/python-jose/pull/352
Fixed by: https://github.com/mpdavis/python-jose/commit/8e1f521a7588dd6bfe553c3d3f320ab7a55bba36 (3.4.0)
Связанные уязвимости
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
Duplicate Advisory: python-jose denial of service via compressed JWE content
Уязвимость библиотеки python-jose, связанная с некорректной обработкой сильно сжатых входных данных, позволяющая нарушителю вызвать отказ в обслуживании