CVE-2024-28102 MEDIUM

CVE-2024-28102: JWCrypto vulnerable to JWT bomb Attack in `deserialize` function

Vendor Latchset
Product jwcrypto
Weakness CWE-770 · Uncontrolled resource consumption
Published March 6, 2024
Last update September 9, 2024

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

Key dates

02Disclosure timeline

March 6, 2024 CVE published
September 9, 2024 Record updated