JOSE vulnerable to resource exhaustion via specifically crafted JWE

Description

The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named p2c (PBES2 Count), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key.

Recommendation

Update the jose package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 4.0.0, <= 4.9.1

  >= 3.0.0, <= 3.20.3

  >= 2.0.0, <= 2.0.5

  >= 1.0.0, <= 1.28.1**

• Patched version(s): **4.9.2

  3.20.4

  2.0.6

  1.28.2**

References

• GHSA-jv3g-j58f-9mq9
• CVE-2022-36083
• CWE-400
• CWE-834
• CAPEC-310
• OWASP 2021-A6

Related Issues

• JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 2 - CVE-2022-36083
• JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 3 - CVE-2022-36083
• JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) - CVE-2022-36083
• jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q) 2 - CVE-2024-28176

Tags:

npm

jose