CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28102 – JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
https://notcve.org/view.php?id=CVE-2024-28102
06 Mar 2024 — JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length. JWCrypto implementa las especificaciones JWK, JWS y JWE utilizando criptografía Python. • https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 13EXPL: 0CVE-2023-6681 – Jwcrypto: denail of service via specifically crafted jwe
https://notcve.org/view.php?id=CVE-2023-6681
12 Feb 2024 — A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack. Se encontró una vulnerabilidad en JWCrypto. Esta falla permite que un atacante provoque un ataque de denegación de servicio (DoS) y posibles ataques de fuerza bruta y diccionario de contraseñas que consuman m... • https://access.redhat.com/errata/RHSA-2024:3267 • CWE-400: Uncontrolled Resource Consumption •