jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q) 2
- Severity:
- Medium
Description
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high.
Recommendation
Update the jose-node-cjs-runtime package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.15.4
- Patched version(s): 4.15.5
References
Related Issues
- When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id - CVE-2023-35167
- JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 2 - CVE-2022-36083
- Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime - CVE-2021-29446
- Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621
- Tags:
- npm
- jose-node-cjs-runtime
Anything's wrong? Let us know Last updated on March 30, 2024