CVE-2023-52428

Опубликовано: 11 фев. 2024

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

A vulnerability was found in the Nimbus Jose JWT package. By crafting a JWE with an excessively large p2c value, an attacker can trigger significant resource consumption during decryption, potentially leading to application slowdown or unavailability.

Затронутые пакеты

Платформа	Пакет	Состояние
Cryostat 3	com.nimbusds/nimbus-jose-jwt	Not affected
Logging Subsystem for Red Hat OpenShift	com.nimbusds/nimbus-jose-jwt	Affected
Red Hat AMQ Broker 7	com.nimbusds/nimbus-jose-jwt	Will not fix
Red Hat build of Apache Camel 4 for Quarkus 3	com.nimbusds/nimbus-jose-jwt	Not affected
Red Hat build of Apache Camel for Spring Boot 3	com.nimbusds/nimbus-jose-jwt	Affected
Red Hat build of Apache Camel - HawtIO 4	com.nimbusds/nimbus-jose-jwt	Affected
Red Hat build of Apicurio Registry 2	com.nimbusds/nimbus-jose-jwt	Affected
Red Hat Build of Keycloak	com.nimbusds/nimbus-jose-jwt	Not affected
Red Hat build of Quarkus	com.nimbusds/nimbus-jose-jwt	Not affected
Red Hat Fuse 7	com.nimbusds/nimbus-jose-jwt	Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-400

https://bugzilla.redhat.com/show_bug.cgi?id=2309764nimbus-jose-jwt: large JWE p2c header value causes Denial of Service

EPSS

Процентиль: 23%

0.00078

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2023-52428

CVSS3: 7.5

nvd

почти 2 года назад

GHSA-gvpg-vgmx-xg6w

CVSS3: 7.5

github

почти 2 года назад

Denial of Service in Connect2id Nimbus JOSE+JWT

BDU:2024-03299

CVSS3: 7.5

fstec

почти 2 года назад

Уязвимость компонента PasswordBasedDecrypter Java-библиотеки Nimbus JOSE + JWT, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 23%

0.00078

Низкий

7.5 High

CVSS3