CVE-2024-28102 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-28102 at MITRE

Description

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
	SUSE
Base Score	6.8
Vector	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	None
Scope	Changed
Confidentiality Impact	None
Integrity Impact	None
Availability Impact	High
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1221230 [RESOLVED / FIXED]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Liberty Linux 9	`python3-jwcrypto >= 0.8-5.el9_4`	Patchnames: RHSA-2024:2559
openSUSE Tumbleweed	`python310-jwcrypto >= 1.5.6-2.1` `python311-jwcrypto >= 1.5.6-2.1` `python312-jwcrypto >= 1.5.6-2.1` `python39-jwcrypto >= 1.5.6-2.1`	Patchnames: openSUSE-Tumbleweed-2024-13798

SUSE Timeline for this CVE

CVE page created: Sun Mar 10 13:00:13 2024
CVE page last modified: Tue Sep 3 19:34:22 2024