In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
oryginał ENCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LPython Jose Project Python Jose
APPPython-Jose Project3.3.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Powiązane podatności
CVE-2016-7036CRITICAL9.8ten sam produkt
python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant t...
CVE-2024-33663MEDIUM6.5ten sam produkt
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is simil...
CVE-2024-33664MEDIUM5.3ten sam produkt
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode...