QID 997685

Date Published: 2024-03-13

QID 997685: NodeJs (Npm) Security Update for jose (GHSA-hhhv-q57g-882q)

A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a result, the length of the JWE token, which is determined by the compressed content's size, can land below application-defined limits. In such cases, other existing application level mechanisms for preventing resource exhaustion may be rendered ineffective.

Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as Medium - 4.9 severity.

CVSS V2 rated as Medium - 5.4 severity.

Solution

Refer to Github security advisory GHSA-hhhv-q57g-882q for updates and patch information.

Vendor References

GHSA-hhhv-q57g-882q - github.com/advisories/GHSA-hhhv-q57g-882q

CVEs related to QID 997685

CVE-2024-28176 |

Software Advisories

Advisory ID	Software	Component	Link
GHSA-hhhv-q57g-882q	jose		github.com/advisories/GHSA-hhhv-q57g-882q

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].