CVE-2024-28180

Aliases:GHSA-c5q2-7r4c-mv6gGO-2024-2631CGA-9vg5-h493-cxr7CGA-9vf9-m4f8-6392CGA-g5hx-8r47-pf39CGA-hmfp-f3v3-528vCGA-hrqx-74pg-5m88CGA-m474-c57g-8945CGA-r356-23m2-5p37CGA-v3wf-pwmr-vcw5CGA-w52c-j6q8-cf23CGA-w7jq-8v28-882jCGA-chh8-vhg4-2qj7
Advisory lineage Upstream: 0 Downstream: 40
Analyzed
Published: 09 Mar 2024, 00:54
Last modified:13 Feb 2025, 17:47

Vulnerability Summary

Overall Risk (default)
low
18/100
CVSS Score
4.3 MEDIUM
v3.1 (cve.org)
EPSS Score
4.99% LOW
5% probability +1.34%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

09 Mar 2024, 00:54
Published
Vulnerability first disclosed
13 Feb 2025, 17:47
Last Modified
Vulnerability information updated

Description

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

CVSS Metrics

  • v3.1MEDIUMScore: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

EPSS Trends

Current EPSS score: 4.99% Percentile: 90%

Techniques & Countermeasures

  • CWE-409Improper Handling of Highly Compressed Data (Data Amplification)

    The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Affected Systems

  • chainguardbank-vaults

    < 1.20.4-r8

  • chainguardconsul-1.17

    < 1.17.4-r4

  • chainguardconsul-1.17-fips

    < 1.17.4-r5

  • chainguardkots

    < 1.108.0-r2

  • chainguardkyverno

    < 1.11.4-r5

  • chainguardsops

    < 3.8.1-r4

  • chainguardtraefik

    < 2.11.0-r2

  • chainguardtraefik-fips

    < 2.11.0-r0

  • chainguardvault-fips-1.14

    < 1.14.10-r0

  • chainguardzot

    < 2.0.1-r7

  • fedoraprojectfedora

    ≥ 38, ≤ 40

  • go-jose_projectgo-jose

    ≥ 2.0.0, < 2.6.3 | ≥ 3.0.0, < 3.0.3 | ≥ 4.0.0, < 4.0.1

  • go-josego-jose

    < 4.0.1 | < 3.0.3 | < 2.6.3

  • github.com/go-jose/go-josev3

    < 3.0.3

  • github.com/go-jose/go-josev4

    < 4.0.1

  • gopkg.in/go-josego-jose.v2

    < 2.6.3

  • gopkg.in/squarego-jose.v2

    ≤ 2.6.0 | all

References (24)