#VU76239 Infinite loop in node-jose - CVE-2023-25653

Cybersecurity Help s.r.o.

Published: 2023-05-17

Vulnerability identifier: #VU76239

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-25653

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
node-jose
Universal components / Libraries / Libraries used by multiple products

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a possible infinite loop in an internal calculation when using the non-default "fallback" crypto back-end. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

node-jose: before 2.2.0

External links
https://github.com/cisco/node-jose/commit/901d91508a70e3b9bdfc45688ea07bb4e1b8210d
https://github.com/cisco/node-jose/security/advisories/GHSA-5h4j-qrvg-9xhw

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM Maximo Application Suite update for Cisco node-jose

Multiple vulnerabilities in IBM Security Verify Information Queue