You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The maintainer(s) of the affected project have already been made aware of this vulnerability.
Description
The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.
Tracing vulnerable package/module versions backwards is a bit of a challenge since go-jose/go-jose is a fork of square/go-jose. The Square version is unmaintained and states: "No support, security fixes or updates will be delivered to the v1/v2 branches in the Square repository." This vulnerability may be a good opportunity to encourage users to move to the maintained package.
I've confirmed that the Square package at version 2.6.0 is vulnerable, but I haven't traced it all the way back to which version introduced the vulnerability. I suspect it's always been there. This library is provided by the following packages (which have considerable importedby size):
For #2334
Change-Id: I8065e0afe2c2aa26db5e6977e491777d2000a707
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545955
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tim King <taking@google.com>
Acknowledgement
Description
The
go-jose
package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.Affected Modules, Packages, Versions and Symbols
CVE/GHSA ID
No response
Fix Commit or Pull Request
go-jose/go-jose#66
References
Additional information
Tracing vulnerable package/module versions backwards is a bit of a challenge since
go-jose/go-jose
is a fork ofsquare/go-jose
. The Square version is unmaintained and states: "No support, security fixes or updates will be delivered to the v1/v2 branches in the Square repository." This vulnerability may be a good opportunity to encourage users to move to the maintained package.I've confirmed that the Square package at version
2.6.0
is vulnerable, but I haven't traced it all the way back to which version introduced the vulnerability. I suspect it's always been there. This library is provided by the following packages (which have considerableimportedby
size):The text was updated successfully, but these errors were encountered: