CVE-2024-33664
Aliases:GHSA-cjwg-qfpm-7377PYSEC-2024-233ECHO-bcfa-be1b-cafd
Advisory lineage Upstream: 0 Downstream: 4
Analyzed
Published: 25 Apr 2024, 00:00
Last modified:05 Sept 2024, 15:28
Vulnerability Summary
Overall Risk (default)
medium
31/100 CVSS Score
5.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.25% LOW
0% probability +0.06%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected
Timeline
25 Apr 2024, 00:00
Published
Vulnerability first disclosed
05 Sept 2024, 15:28
Last Modified
Vulnerability information updated
Description
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Trends
Current EPSS score: 0.25%• Percentile: 49%
Techniques & Countermeasures
- CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Affected Systems
- PyPI•python-jose
< 3.4.0
- python-jose_project•python-jose
≤ 3.3.0
References (7)
- https://github.com/mpdavis/python-jose/issues/344
- https://github.com/mpdavis/python-jose/pull/345
- https://www.vicarius.io/vsociety/posts/jwt-bomb-in-python-jose-cve-2024-33664
- https://nvd.nist.gov/vuln/detail/CVE-2024-33664
- https://github.com/mpdavis/python-jose
- https://github.com/mpdavis/python-jose/releases/tag/3.4.0
- https://github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2024-233.yaml