Skip to content

Decryption of malicious PBES2 JWE objects can consume unbounded system resources

Moderate severity GitHub Reviewed Published Nov 21, 2023 to the GitHub Advisory Database • Updated Feb 27, 2024

Package

gomod github.com/go-jose/go-jose/v3 (Go)

Affected versions

< 3.0.1

Patched versions

3.0.1
gomod github.com/square/go-jose (Go)
< 2.6.2
2.6.2

Description

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

References

Published to the GitHub Advisory Database Nov 21, 2023
Reviewed Nov 21, 2023
Last updated Feb 27, 2024

Severity

Moderate

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-2c7c-3mj9-8fqh

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.