JOSE vulnerable to resource exhaustion via specifically crafted JWE - jose-browser-runtime

Severity:: Medium

Description

The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named p2c (PBES2 Count), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key.

Recommendation

Update the jose-browser-runtime package to the latest compatible version. Followings are version details:

Affected version(s): **>= 4.0.0, <= 4.9.1 >= 3.0.0, <= 3.20.3**
Patched version(s): **4.9.2 3.20.4**

References

GHSA-jv3g-j58f-9mq9
CVE-2022-36083
CWE-400
CWE-834
CAPEC-310
OWASP 2021-A6

Related Issues

JOSE vulnerable to resource exhaustion via specifically crafted JWE - jose-node-esm-runtime - CVE-2022-36083
JOSE vulnerable to resource exhaustion via specifically crafted JWE - jose-node-cjs-runtime - CVE-2022-36083
JOSE vulnerable to resource exhaustion via specifically crafted JWE - CVE-2022-36083
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - jose-node-esm-runtime - CVE-2024-28176

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; jose-browser-runtime

Anything's wrong? Let us know Last updated on July 21, 2023