Security advisories

GHSA-mhpq-9638-x6pw

Published

Last updated

https://github.com/advisories/GHSA-mhpq-9638-x6pw

Severity

5.3

Medium

CVSS V3

Description

Denial of service when decrypting attack controlled input in github.com/dvsekhvalnov/jose2go. An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.

References

https://github.com/dvsekhvalnov/jose2go/issues/31
https://github.com/dvsekhvalnov/jose2go/commit/a4584e9dd7128608fedbc67892eba9697f0d5317
https://github.com/dvsekhvalnov/jose2go
https://www.blackhat.com/us-23/briefings/schedule/#three-new-attacks-against-json-web-tokens-31695

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore.

Changes to static, git and busybox images

Products

Chainguard Images

Developer

Open source Docs

Resources

Unchained blog Chainguard Labs Customer stories Scanners Security Education

Company

About Newsroom Careers Chainguard love Legal Contact

Twitter GitHub LinkedIn TikTok