Описание
jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.
Ссылки
- Patch
- Patch
- ExploitVendor Advisory
- Patch
- Patch
- ExploitVendor Advisory
Уязвимые конфигурации
EPSS
4.3 Medium
CVSS3
7.5 High
CVSS3
Дефекты
Связанные уязвимости
jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.
Parsing JSON serialized payload without protected field can lead to segfault
EPSS
4.3 Medium
CVSS3
7.5 High
CVSS3