Miggo Logo
Miggo Vulnerability Database
CVE-2024-32007

CVE-2024-32007: Apache CXF Denial of Service vulnerability in JOSE

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-32007
GHSA ID
GHSA-6pff-fmh2-4mmf
EPSS Score
0.72783%
CWE
CWE-20
Published
7/19/2024
Updated
8/8/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.cxf:cxf-rt-rs-security-josemaven>= 4.0.0, < 4.0.54.0.5
org.apache.cxf:cxf-rt-rs-security-josemaven>= 3.6.0, < 3.6.43.6.4
org.apache.cxf:cxf-rt-rs-security-josemaven< 3.5.93.5.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input validation for the 'p2c' parameter during JWE decryption. The commit diff shows:

  1. A new maxPbesCount parameter was added to PbesHmacAesWrapKeyDecryptionAlgorithm constructors
  2. A validation check 'if (pbesCount > maxPbesCount)' was added in getDecryptedContentEncryptionKey
  3. Test cases were added to verify rejection of large p2c values This indicates the vulnerable code path was the decryption processing flow handling the p2c parameter without these limits. The function directly processes untrusted input (p2c header) and lacked resource consumption safeguards before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n improp*r input v*li**tion o* t** p** p*r*m*t*r in t** *p**** *X* JOS* *o** ***or* *.*.*, *.*.* *n* *.*.* *llows *n *tt**k*r to p*r*orm * **ni*l o* s*rvi** *tt**k *y sp**i*yin* * l*r** v*lu* *or t*is p*r*m*t*r in * tok*n. 

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion *or t** 'p**' p*r*m*t*r *urin* JW* ***ryption. T** *ommit *i** s*ows: *. * n*w m*xP**s*ount p*r*m*t*r w*s ***** to P**s*m****sWr*pK*y***ryption*l*orit*m *onstru*tors *. * v*li**tion ****k 'i* (p**