AZL-35882

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-35882.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-35882

Upstream

CVE-2024-28180

Published

2024-03-09T01:15:07Z

Modified

2026-04-01T05:12:14.921437Z

Summary

CVE-2024-28180 affecting package keda for versions less than 2.14.0-1

Details

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-28180

Affected packages

Azure Linux:3 / keda

Package

Name: keda
Purl: pkg:rpm/azure-linux/keda

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.14.0-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-35882.json"