VDB
CVE-2024-28122
CVE-2024-28122
PUBLISHED
CVSS 6.800000190734863 MEDIUM
JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. This issue has been patched in versions 1.2.29 and 2.0.21.
EPSS 0.15% · 35.3th percentile
Risk Scores
CVSS v3.1
6.800000190734863
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
EPSS Score
0.15%
35.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | lestrrat-go/jwx/v2 | 0 |
| lestrrat-go | jwx | 0, >= 2.0.0, < 2.0.21, 2.0.0 |
| lestrrat-go | jwx | 1.2.0, 2.0.0 |
| github.com | lestrrat-go/jwx | 0 |
Timeline
- Jan 21, 1970 Security Advisory
- Mar 8, 2024 CVE Published
- Mar 9, 2024 EPSS Score
- Apr 4, 2024 EPSS Score
- Apr 30, 2024 EPSS Score
- May 27, 2024 EPSS Score
- Jun 22, 2024 EPSS Score
- Jul 18, 2024 EPSS Score
- Aug 13, 2024 EPSS Score
- Sep 8, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 5, 2024 EPSS Score
References
- https://github.com/lestrrat-go/jwx/security/advisories/GHSA-hj3v-m684-v259 url
- https://github.com/lestrrat-go/jwx/releases/tag/v1.2.29 url
- https://github.com/lestrrat-go/jwx/releases/tag/v2.0.21 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-28122 advisory
- https://github.com/lestrrat-go/jwx/commit/d01027d74c7376d66037a10f4f64af9af26a7e34 url
- https://github.com/lestrrat-go/jwx/commit/d43f2ceb7f0c13714dfe8854d6439766e86faa76 url
- https://github.com/lestrrat-go/jwx package