#VU87329 Resource exhaustion in jose - CVE-2024-28176


Vulnerability identifier: #VU87329

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-28176

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jose
Web applications / JS libraries

Vendor: Filip Skokan

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the JSON Web Encryption (JWE) decryption interfaces. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jose: 2.0.0 - 2.0.6, 4.15.0 - 4.15.4

External links
https://github.com/panva/jose/security/advisories/GHSA-hhhv-q57g-882q
https://github.com/panva/jose/commit/02a65794f7873cdaf12e81e80ad076fcdc4a9314
https://github.com/panva/jose/commit/1b91d88d2f8233f3477a5f4579aa5f8057b2ee8b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for jose
Anolis OS update for container-tools:an8 module
Multiple vulnerabilities in HPE Unified OSS Console Assurance Monitoring (UOCAM)
IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data update for Node.js jose
openEuler 24.03 LTS SP1 update for podman
openEuler 24.03 LTS update for podman
Multiple vulnerabilities in IBM Concert Software
Red Hat Enterprise Linux 9 update for jose
Multiple vulnerabilities in OpenShift Data Foundation (formerly OpenShift Container Storage) 4.17
Multiple vulnerabilities in OpenShift Data Foundation (formerly OpenShift Container Storage) 4.16