GHSA-mhpq-9638-x6pw: Denial of service when decrypting attack controlled input in github.com/dvsekhvalnov/jose2go
5.3
CVSS Score
3.1
Basic Information
CVE ID
-
GHSA ID
EPSS Score
-
CWE
Published
12/20/2023
Updated
7/5/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/dvsekhvalnov/jose2go | go | < 1.5.1-0.20231206184617-48ba0b76bc88 | 1.5.1-0.20231206184617-48ba0b76bc88 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from processing unvalidated 'p2c' values during JWE decryption. The patch adds iteration count guards in Pbse2HmacAesKW.Unwrap, indicating this was the vulnerable function. The CWE-400 classification matches the uncontrolled resource consumption through cryptographic operations with attacker-controlled iteration counts. The test cases added in jose_test.go specifically target p2c validation failures in decryption operations handled by this function.