Описание
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
A flaw was found in the golang.org/x/oauth2/jws package in the token parsing component. This vulnerability is made possible because of the use of strings.Split(token, ".") to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of . characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.
Меры по смягчению последствий
To mitigate this vulnerability, it is recommended to pre-validate any payloads passed to go-jose to check that they do not contain an excessive amount of . characters.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager-operator-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | jetstack-cert-manager-acmesolver-rhel9 | Affected | ||
| cert-manager Operator for Red Hat OpenShift | jetstack-cert-manager-rhel9 | Affected | ||
| Cryostat 3 | cryostat-tech-preview/cryostat-storage-rhel8 | Affected | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8 | Affected | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8 | Affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel9 | Affected | ||
| Migration Toolkit for Applications 7 | mta-dotnet-external-provider-container | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
An attacker can pass a malicious malformed token which causes unexpect ...
EPSS
7.5 High
CVSS3