Denial of service via decryption of malicious PBES2 JWE objects in github.com/go-jose/go-jose/v3

Overview

Source
ID
GO-2023-2334
Aliases
GHSA-2c7c-3mj9-8fqh
Affected package

Description

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

Impact

Reference links

Summary

1.99k
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
849
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
0.15%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
github.com/go-jose/go-jose/v3
Affected Version: Introduced: 0, Fixed: 3.0.1
Patched/Unaffected
v3.0.1
v3.0.2
v3.0.3
v3.0.4
github.com/square/go-jose
Affected Version: Introduced: 0
Affected
v2.6.0+incompatible
v2.5.1+incompatible
v2.5.0+incompatible
v2.4.1+incompatible
v2.4.0+incompatible
v2.3.1+incompatible
v2.3.0+incompatible
v2.2.2+incompatible
v2.2.1+incompatible
v2.2.0+incompatible
v2.1.9+incompatible
v2.1.8+incompatible
v2.1.7+incompatible
v2.1.6+incompatible
v2.1.5+incompatible
v2.1.4+incompatible
v2.1.3+incompatible
v2.1.2+incompatible
v2.1.1+incompatible
v2.1.0+incompatible
v2.0.1+incompatible
v2.0.0+incompatible
v1.1.2
v1.1.1
v1.1.0
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.0.0-20161027010314-63d7cfa0284d