4.3
CVE-2024-28180
- EPSS 3.64%
- Veröffentlicht 09.03.2024 01:15:07
- Zuletzt bearbeitet 03.12.2025 20:29:36
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch National Vulnerability Database (NVD)
Go-jose Project ≫ Go-jose Version >= 2.0.0 < 2.6.3
Go-jose Project ≫ Go-jose Version >= 3.0.0 < 3.0.3
Go-jose Project ≫ Go-jose Version >= 4.0.0 < 4.0.1
Fedoraproject ≫ Fedora Version >= 38 <= 40
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.64% | 0.874 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
|
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.