Описание
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
A flaw was found in python-jose. This vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio, leading to significant memory allocation and processing time during decompression.
Отчет
This vulnerability is rated Moderate for Red Hat products as it allows an attacker to cause a Denial-of-Service (DoS) by crafting a malicious JSON Web Encryption (JWE) token. When processed by applications utilizing python-jose, this token can lead to excessive memory allocation and processing time during decompression. This affects Red Hat Ansible Automation Platform, OpenShift Lightspeed, Red Hat OpenShift AI, and other services that use python-jose for JWE token handling.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-ocp-rag-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/lightspeed-chatbot-rhel8 | Affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/lightspeed-chatbot-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | python-jose | Will not fix | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-llama-stack-core-rhel9 | Affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-trustyai-ragas-lls-provider-dsp-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allow ...
Duplicate Advisory: python-jose denial of service via compressed JWE content
Уязвимость библиотеки python-jose, связанная с некорректной обработкой сильно сжатых входных данных, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3