CVE-2024-28180

MEDIUM EPSS 77.8%
Published Mar 9, 20242y ago · Modified Jun 17, 20262w ago
4.3 CVSS 3.1
Medium
Find Similar
Published Mar 9, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

CVSS Details

Base Score
4.3
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability Low

Threat Intelligence

EPSS Exploit Probability
77.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-409

Affected Products 4

VendorProductVersionRange
go-jose_projectgo-jose*≥2.0.0  –  <2.6.3
go-jose_projectgo-jose*≥3.0.0  –  <3.0.3
go-jose_projectgo-jose*≥4.0.0  –  <4.0.1
fedoraprojectfedora*≥38  –  ≤40

References 13

  • github.com https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
    Patch
  • github.com https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
    Patch
  • github.com https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
    Patch
  • github.com https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
    Vendor Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/
    Mailing ListThird Party Advisory

Remediation

  • github.com https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
    Patch
  • github.com https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
    Patch
  • github.com https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
    Patch