Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in go-jose #2334

Closed
1 task done
mschwager opened this issue Nov 13, 2023 · 2 comments
Closed
1 task done

x/vulndb: potential Go vuln in go-jose #2334

mschwager opened this issue Nov 13, 2023 · 2 comments
Assignees
@rolandshoemaker
Labels
Direct External Report

Comments

@mschwager
Copy link

Acknowledgement

  • The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

Affected Modules, Packages, Versions and Symbols

Module: github.com/go-jose/go-jose
Package: github.com/go-jose/go-jose/v3
Versions:
  - Introduced: 3.0.0
  - Fixed: 3.0.1
Symbols:
  - JSONWebEncryption.Decrypt

Module: gopkg.in/square/go-jose.v2
Package: gopkg.in/square/go-jose.v2
Versions:
  - Introduced: 2.6.0
Symbols:
  - JSONWebEncryption.Decrypt

CVE/GHSA ID

No response

Fix Commit or Pull Request

go-jose/go-jose#66

References

Additional information

Tracing vulnerable package/module versions backwards is a bit of a challenge since go-jose/go-jose is a fork of square/go-jose. The Square version is unmaintained and states: "No support, security fixes or updates will be delivered to the v1/v2 branches in the Square repository." This vulnerability may be a good opportunity to encourage users to move to the maintained package.

I've confirmed that the Square package at version 2.6.0 is vulnerable, but I haven't traced it all the way back to which version introduced the vulnerability. I suspect it's always been there. This library is provided by the following packages (which have considerable importedby size):
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/544075 mentions this issue: data/reports: add GO-2023-2334.yaml

@GoVulnBot GoVulnBot mentioned this issue Nov 21, 2023
Closed
gopherbot pushed a commit that referenced this issue Nov 29, 2023
@neild
data/reports/GO-2023-2334: add GHSA reference
73b9e2e 
For #2334

Change-Id: I8065e0afe2c2aa26db5e6977e491777d2000a707
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545955
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Tim King <taking@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/545955 mentions this issue: data/reports/GO-2023-2334: add GHSA reference

@OlegOAndreev OlegOAndreev mentioned this issue Dec 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rolandshoemaker rolandshoemaker

Labels
Direct External Report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mschwager @rolandshoemaker @gopherbot