DEBIAN-CVE-2024-28180
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 09 Mar 2024, 01:15
Last modified:28 Apr 2026, 20:27
Vulnerability Summary
Overall Risk (default)
low
17/100 CVSS Score
4.3 MEDIUM
3.1 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
09 Mar 2024, 01:15
Published
Vulnerability first disclosed
28 Apr 2026, 20:27
Last Modified
Vulnerability information updated
Description
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
CVSS Metrics
- v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Affected Systems
- debian•golang-github-go-jose-go-jose
< 4.0.1-1 | < 4.0.1-1
- debian•golang-gopkg-square-go-jose.v2
all | all | < 2.6.3-1 | < 2.6.3-1