CGA-vqx8-r5hr-jfp2

Published

Last updated

https://images.chainguard.dev/security/CGA-vqx8-r5hr-jfp2

Package

rancher-2.8

Repository

Chainguard

Latest Update

Under investigation

Aliases

GHSA-2c7c-3mj9-8fqh

Summary

Decryption of malicious PBES2 JWE objects can consume unbounded system resources

Description

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

References

https://github.com/advisories/GHSA-2c7c-3mj9-8fqh
https://github.com/go-jose/go-jose/issues/64
https://github.com/go-jose/go-jose/commit/65351c27657d58960c2e6c9fbb2b00f818e50568
https://github.com/go-jose/go-jose/commit/a3d307244c3bc50b25a71aa0688764c32ec419c7
https://github.com/go-jose/go-jose

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-vqx8-r5hr-jfp2

Summary

Description

References

Updates

Products

Why Chainguard

Customers

Company

Resources