VDB
CVE-2024-21664
CVE-2024-21664
PUBLISHED
CVSS 4.300000190734863 MEDIUM
jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.
EPSS 0.18% · 39.1th percentile
Risk Scores
CVSS v3.1
4.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
EPSS Score
0.18%
39.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| lestrrat-go | jwx | >= 2.0.0, < 2.0.19, >= 1.0.8, < 1.2.28, 0 |
| github.com | lestrrat-go/jwx/v2 | 0 |
| github.com | lestrrat-go/jwx | 1.0.8 |
Timeline
- Jan 21, 1970 Security Advisory
- Jan 9, 2024 CVE Published
- Jan 18, 2024 EPSS Score
- Jan 23, 2024 CVE Updated
- Feb 15, 2024 EPSS Score
- Mar 14, 2024 EPSS Score
- May 9, 2024 EPSS Score
- Jun 6, 2024 EPSS Score
- Jul 4, 2024 EPSS Score
- Aug 1, 2024 EPSS Score
- Aug 29, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
References
- https://github.com/lestrrat-go/jwx/security/advisories/GHSA-pvcr-v8j8-j5q3 url
- https://github.com/lestrrat-go/jwx/commit/0e8802ce6842625845d651456493e7c87625601f url
- https://github.com/lestrrat-go/jwx/commit/8c53d0ae52d5ab1e2b37c5abb67def9e7958fd65 url
- https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd url
- https://nvd.nist.gov/vuln/detail/CVE-2024-21664 advisory
- https://github.com/lestrrat-go/jwx package