CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28102 – JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
https://notcve.org/view.php?id=CVE-2024-28102
06 Mar 2024 — JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length. JWCrypto implementa las especificaciones JWK, JWS y JWE utilizando criptografía Python. • https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6298
https://notcve.org/view.php?id=CVE-2016-6298
01 Sep 2016 — The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA). La clase _Rsa15 en la implementación de algoritmo RSA 1.5 en jwa.py en jwcrypto en versiones anteriores a 0.3.2 carece del mecanismo de protección Random Filling, lo que facilita a atacantes remotos obtener datos en texto plano a través de un Million Message Attack (MM... • http://www.securityfocus.com/bid/92729 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •