CVE-2024-28102

JWCrypto vulnerable to JWT bomb Attack in `deserialize` function

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

JWCrypto implementa las especificaciones JWK, JWS y JWE utilizando criptografía Python. Antes de la versión 1.5.6, un atacante podía provocar un ataque de denegación de servicio al pasar un token JWE malicioso con una alta tasa de compresión. Cuando el servidor procese este token, consumirá mucha memoria y tiempo de procesamiento. La versión 1.5.6 corrige esta vulnerabilidad limitando la longitud máxima del token.

An uncontrolled resource consumption vulnerability was found in python-jwcrypto. If a malicious JWE token with a high compression ratio is passed to the server, the server will consume a lot of memory and processing time, leading to a denial of service.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Multiple

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-04 CVE Reserved
2024-03-06 CVE Published
2024-03-07 EPSS Updated
2024-09-09 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (4)

URL	Tag	Source
https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f	X_refsource_misc
https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-28102	2024-07-12
https://bugzilla.redhat.com/show_bug.cgi?id=2268758	2024-07-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Latchset Search vendor "Latchset"		Jwcrypto Search vendor "Latchset" for product "Jwcrypto"				< 1.5.6 Search vendor "Latchset" for product "Jwcrypto" and version " < 1.5.6"		en		Affected