jose4j denial of service via specifically crafted JWE · CVE-2023-51775 · GitHub Advisory Database · GitHub

jose4j denial of service via specifically crafted JWE

Moderate severity GitHub Reviewed Published Feb 29, 2024 to the GitHub Advisory Database • Updated Aug 14, 2024

Package

org.bitbucket.b_c:jose4j (Maven)

Affected versions

< 0.9.4

Patched versions

0.9.4

Description

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

References

Published by the National Vulnerability Database

Feb 29, 2024

Published to the GitHub Advisory Database Feb 29, 2024

Reviewed Feb 29, 2024

Last updated Aug 14, 2024

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H