Upstream information
CVE-2024-28176 at MITRE
Description
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has
been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
No SUSE Bugzilla entries cross referenced.
SUSE Security Advisories:
List of released packages
Product(s) | Fixed package version(s) | References |
SUSE Liberty Linux 8 | aardvark-dns >= 1.10.0-1.module+el8.10.0+21962+8143777b
buildah >= 1.33.7-2.module+el8.10.0+21962+8143777b
buildah-tests >= 1.33.7-2.module+el8.10.0+21962+8143777b
cockpit-podman >= 84.1-1.module+el8.10.0+21962+8143777b
conmon >= 2.1.10-1.module+el8.10.0+21962+8143777b
container-selinux >= 2.229.0-2.module+el8.10.0+21962+8143777b
containernetworking-plugins >= 1.4.0-2.module+el8.10.0+21962+8143777b
containers-common >= 1-81.module+el8.10.0+21962+8143777b
crit >= 3.18-5.module+el8.10.0+21962+8143777b
criu >= 3.18-5.module+el8.10.0+21962+8143777b
criu-devel >= 3.18-5.module+el8.10.0+21962+8143777b
criu-libs >= 3.18-5.module+el8.10.0+21962+8143777b
crun >= 1.14.3-2.module+el8.10.0+21962+8143777b
fuse-overlayfs >= 1.13-1.module+el8.10.0+21962+8143777b
jose >= 10-2.el8_10.3
libjose >= 10-2.el8_10.3
libjose-devel >= 10-2.el8_10.3
libslirp >= 4.4.0-2.module+el8.10.0+21962+8143777b
libslirp-devel >= 4.4.0-2.module+el8.10.0+21962+8143777b
netavark >= 1.10.3-1.module+el8.10.0+21962+8143777b
oci-seccomp-bpf-hook >= 1.2.10-1.module+el8.10.0+21962+8143777b
podman >= 4.9.4-3.module+el8.10.0+21974+acd2159c
podman-catatonit >= 4.9.4-3.module+el8.10.0+21974+acd2159c
podman-docker >= 4.9.4-3.module+el8.10.0+21974+acd2159c
podman-gvproxy >= 4.9.4-3.module+el8.10.0+21974+acd2159c
podman-plugins >= 4.9.4-3.module+el8.10.0+21974+acd2159c
podman-remote >= 4.9.4-3.module+el8.10.0+21974+acd2159c
podman-tests >= 4.9.4-3.module+el8.10.0+21974+acd2159c
python3-criu >= 3.18-5.module+el8.10.0+21962+8143777b
python3-podman >= 4.9.0-1.module+el8.10.0+21962+8143777b
runc >= 1.1.12-1.module+el8.10.0+21974+acd2159c
skopeo >= 1.14.3-2.module+el8.10.0+21962+8143777b
skopeo-tests >= 1.14.3-2.module+el8.10.0+21962+8143777b
slirp4netns >= 1.2.3-1.module+el8.10.0+21962+8143777b
toolbox >= 0.0.99.5-2.module+el8.10.0+21962+8143777b
toolbox-tests >= 0.0.99.5-2.module+el8.10.0+21962+8143777b
udica >= 0.2.6-21.module+el8.10.0+21962+8143777b
| Patchnames: RHSA-2024:3968 RHSA-2024:5294 |
SUSE Liberty Linux 9 | buildah >= 1.33.7-2.el9_4
buildah-tests >= 1.33.7-2.el9_4
jose >= 14-1.el9
libjose >= 14-1.el9
libjose-devel >= 14-1.el9
podman >= 4.9.4-4.el9_4
podman-docker >= 4.9.4-4.el9_4
podman-plugins >= 4.9.4-4.el9_4
podman-remote >= 4.9.4-4.el9_4
podman-tests >= 4.9.4-4.el9_4
| Patchnames: RHSA-2024:3826 RHSA-2024:3827 RHSA-2024:9181 |
SUSE Timeline for this CVE
CVE page created: Sat Mar 9 03:00:04 2024
CVE page last modified: Thu Nov 21 19:53:36 2024