Miggo Logo

CVE-2023-6681: DoS with algorithms that use PBKDF2 due to unbounded PBES2 Count value

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.06463%
Published
12/28/2023
Updated
11/12/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
jwcryptopip< 1.5.11.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the lack of validation on the 'p2c' parameter in PBES2 key derivation. The patch adds a check against 'default_max_pbkdf2_iterations' in PBES2._get_key, confirming this was the vulnerable point. The tests added in jwcrypto/tests.py explicitly validate this boundary by triggering an error when p2c exceeds the maximum, reinforcing that this function was the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **ni*l o* S*rvi**, *ppli**tions t**t *llow t** us* o* t** P*K*** *l*orit*m. ### P*t***s * [p*t**](*ttps://*it*u*.*om/l*t**s*t/jw*rypto/*ommit/****************************************) is *v*il**l* t**t s*ts t** m*ximum num**r o* ****ult r

Reasoning

T** vuln*r**ility st*ms *rom t** l**k o* v*li**tion on t** 'p**' p*r*m*t*r in P**S* k*y **riv*tion. T** p*t** ***s * ****k ***inst '****ult_m*x_p*k***_it*r*tions' in P**S*._**t_k*y, *on*irmin* t*is w*s t** vuln*r**l* point. T** t*sts ***** in jw*rypt