CVE-2023-52428

Published: Feb 11, 2024Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Affected (1)

Products: Connect2id: Nimbus Jose+jwt

Connect2id

1 product

Nimbus Jose+jwt

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Connect2id Nimbus Jose+jwt	Before 9.37.2

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (6)

https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e

Source: cve@mitre.org

Patch

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/

Source: cve@mitre.org

Issue Tracking

https://connect2id.com/products/nimbus-jose-jwt

Source: cve@mitre.org

Product

https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://connect2id.com/products/nimbus-jose-jwt

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.