CVE-2023-49290

lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a denial of service. This vulnerability has been addressed in commit `64f2a229b` which has been included in release version 1.2.27 and 2.0.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c	Patch
https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:lestrrat-go:jwx::::::::
	cpe:2.3:a:lestrrat-go:jwx::::::::

History

05 Dec 2023, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-05 00:15

Updated : 2024-03-04 22:59

NVD link : CVE-2023-49290

Mitre link : CVE-2023-49290

CVE.ORG link : CVE-2023-49290

JSON object : View

Products Affected

lestrrat-go

jwx

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2023-49290", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-12-05T00:15:09.190", "references": [{"url": "https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a denial of service. This vulnerability has been addressed in commit `64f2a229b` which has been included in release version 1.2.27 and 2.0.18. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "lestrrat-go/jwx es un m\u00f3dulo Go que implementa varias tecnolog\u00edas JWx (JWA/JWE/JWK/JWS/JWT, tambi\u00e9n conocidas como JOSE). Un par\u00e1metro p2c establecido demasiado alto en el algoritmo PBES2-* de JWE podr\u00eda provocar una denegaci\u00f3n de servicio. Los algoritmos de gesti\u00f3n de claves JWE basados en PBKDF2 requieren un par\u00e1metro de encabezado JOSE llamado p2c (PBES2 Count). Este par\u00e1metro dicta el n\u00famero de iteraciones de PBKDF2 necesarias para derivar una clave de envoltura CEK. Su objetivo principal es ralentizar intencionalmente la funci\u00f3n de derivaci\u00f3n de claves, haciendo que los ataques de fuerza bruta a contrase\u00f1as y de diccionario requieran m\u00e1s recursos. Por lo tanto, si un atacante establece el par\u00e1metro p2c en JWE en un n\u00famero muy grande, puede provocar un gran consumo computacional, lo que resultar\u00e1 en una denegaci\u00f3n de servicio. Esta vulnerabilidad se solucion\u00f3 en el commit `64f2a229b` que se incluy\u00f3 en las versiones 1.2.27 y 2.0.18. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-03-04T22:59:00.657", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lestrrat-go:jwx:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D883F8E3-02A2-4BC4-ADB3-F420624DD720", "versionEndExcluding": "1.2.27"}, {"criteria": "cpe:2.3:a:lestrrat-go:jwx:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "566A6052-A735-4FDB-975D-47C594210E70", "versionEndExcluding": "2.0.18", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}