AZL-35844

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-35844.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-35844

Upstream

CVE-2024-28180

Published

2024-03-09T01:15:07Z

Modified

2026-04-01T05:13:03.706805Z

Summary

CVE-2024-28180 affecting package kube-vip-cloud-provider for versions less than 0.0.2-19

Details

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-28180

Affected packages

Azure Linux:2 / kube-vip-cloud-provider

Package

Name: kube-vip-cloud-provider
Purl: pkg:rpm/azure-linux/kube-vip-cloud-provider

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.2-19

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-35844.json"