CVE - CVE-2024-28180

CVE-ID
CVE-2024-28180	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
FEDORA:FEDORA-2024-22f1e313dd URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/ FEDORA:FEDORA-2024-453ee0b3b9 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/ FEDORA:FEDORA-2024-45f0a1df95 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/ FEDORA:FEDORA-2024-529fe8a802 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/ FEDORA:FEDORA-2024-560a7aca85 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/ FEDORA:FEDORA-2024-831bad8f8f URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/ FEDORA:FEDORA-2024-9231308a4f URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/ FEDORA:FEDORA-2024-a8a4ce2864 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/ MISC:https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 URL:https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 MISC:https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a URL:https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a MISC:https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 URL:https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 MISC:https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g URL:https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20240306	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240306)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)

Site Map | Terms of Use | Privacy Policy | Contact Us | Follow CVE

Use of the CVE® List and the associated references from this website are subject to the terms of use. CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 1999–2024, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation.