Описание
Decryption of malicious PBES2 JWE objects can consume unbounded system resources
The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.
Пакеты
Наименование
github.com/go-jose/go-jose/v3
go
Затронутые версииВерсия исправления
< 3.0.1
3.0.1
Наименование
github.com/square/go-jose
go
Затронутые версииВерсия исправления
< 2.6.2
2.6.2
Дефекты
CWE-400
Дефекты
CWE-400