GHSA-cw2r-4p82-qv79

Suggest an improvement
Source
https://github.com/advisories/GHSA-cw2r-4p82-qv79
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-cw2r-4p82-qv79/GHSA-cw2r-4p82-qv79.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cw2r-4p82-qv79
Aliases
Published
2023-12-28T16:36:59Z
Modified
2024-11-12T18:56:05.476606Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
DoS with algorithms that use PBKDF2 due to unbounded PBES2 Count value
Details

Impact

Denial of Service, Applications that allow the use of the PBKDF2 algorithm.

Patches

A patch is available that sets the maximum number of default rounds.

Workarounds

Applications that do not need to use PBKDF2 should simply specify the algorithms use and exclude it from the list. Applications that need to use the algorithm should upgrade to the new version that allows to set a maximum rounds number.

Acknowledgement

The issues was reported by Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab

Database specific
{
    "nvd_published_at": "2024-02-12T14:15:08Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-28T16:36:59Z"
}
References

Affected packages

PyPI / jwcrypto

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.1

Affected versions

0.*

0.2.0
0.2.1
0.3.0
0.3.1
0.4.0
0.4.1
0.4.2
0.5.0
0.6.0
0.7
0.8
0.9
0.9.1

1.*

1.0
1.2
1.3
1.3.1
1.4
1.4.1
1.4.2
1.5.0