Описание
In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
Отчет
This vulnerability is rated Important as it can lead to a Denial of Service in applications that process untrusted JSON Web Encryption tokens. An attacker can craft a malicious JWE token with an exceptionally high compression ratio, causing excessive memory allocation and processing time during decompression in affected components like jose4j. This affects products such as Red Hat AMQ, Enterprise Application Platform (EAP 8.0.z, 8.1.z), Red Hat JBoss Fuse, JBoss Data Grid, OpenShift Developer Tools & Services, Red Hat build of Apache Camel, Red Hat Integration, Red Hat OpenShift Dev Spaces, Red Hat Process Automation Manager, Red Hat Single Sign-On (RH-SSO), Insights, cloud.redhat.com, and OpenShift Serverless.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | jenkins-2-plugins | Affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-dispatcher-rhel9 | Affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-receiver-rhel9 | Affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | jose4j | Not affected | ||
| Red Hat build of Apache Camel - HawtIO 4 | jose4j | Not affected | ||
| Red Hat build of Apicurio Registry 2 | jose4j | Affected | ||
| Red Hat build of Apicurio Registry 3 | jose4j | Affected | ||
| Red Hat build of Debezium 2 | jose4j | Will not fix | ||
| Red Hat build of Debezium 3 | jose4j | Will not fix | ||
| Red Hat build of Quarkus | jose4j | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS ...
jose4j is vulnerable to DoS via compressed JWE content
Уязвимость JWT-библиотеки Jose4j, связанная с неправильной защитой токенов безопасности, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3