Description
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
References (13)
Core 13
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/
Vendor Advisory x_refsource_confirm
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
Patch x_refsource_misc
https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
Patch x_refsource_misc
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
Scores
CVSS v3
4.3
EPSS
0.0486
EPSS Percentile
89.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-409
Status
published
Products (6)
fedoraproject/fedora
38 - 40
go-jose/go-jose
0 - 3.0.3Go
go-jose/go-jose
0 - 4.0.1Go
go-jose/go-jose.v2
0 - 2.6.3Go
go-jose_project/go-jose
2.0.0 - 2.6.3
square/go-jose.v2
0Go
Published
Mar 09, 2024
Tracked Since
Feb 18, 2026