UBUNTU-CVE-2024-28102

Advisory lineage Upstream: 1 Downstream: 0
Upstream
CVE-2024-28102
Published: 21 Mar 2024, 02:52
Last modified:20 May 2026, 16:17

Vulnerability Summary

Overall Risk (default)
medium
27/100
CVSS Score
6.8 MEDIUM
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

21 Mar 2024, 02:52
Published
Vulnerability first disclosed
20 May 2026, 16:17
Last Modified
Vulnerability information updated

Description

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

CVSS Metrics

  • v3.1MEDIUMScore: 6.8CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

Affected Systems

  • ubuntupython-jwcrypto

    all | all | all | all | all | all | all

References (4)