Denial of Service Vulnerability in PasswordBasedDecrypter Component
CVE-2023-52428

7.5HIGH

Key Information:

Vendor: Connect2id
Status: Nimbus Jose\+jwt
Vendor: CVE Published:; 11 February 2024

What is CVE-2023-52428?

An issue in Nimbus JOSE+JWT before version 9.37.2 allows attackers to exploit the PasswordBasedDecrypter (PBKDF2) component by providing a significantly large JWE p2c header value. This manipulation can lead to excessive resource consumption, effectively causing a denial of service. It is crucial for users of affected products to upgrade to the latest version to mitigate this security risk. The vulnerability highlights the importance of proper input validation and resource management in cryptographic implementations.

References

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/

https://connect2id.com/products/nimbus-jose-jwt

https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2024
Vulnerability Reserved
Feb 11, 2024

Connect2id

What is CVE-2023-52428?

References

CVSS V3.1

Timeline