CGA-hvjw-cqfw-cqf3
Denial of Service vulnerability in nimbus-jose-jwt (Maven)
What is CGA-hvjw-cqfw-cqf3 About?
This vulnerability allows for a denial of service in Connect2id Nimbus JOSE+JWT due to improper handling of large `p2c` header values. Attackers can exploit this by sending a crafted JWE with an excessive iteration count, leading to significant resource consumption and potential server unavailability. Exploiting this flaw is relatively straightforward, requiring only the ability to send a specially malformed JWE.
Affected Software
Technical Details
The vulnerability resides in the PasswordBasedDecrypter (PBKDF2) component of the Connect2id Nimbus JOSE+JWT library. Specifically, it involves the processing of the p2c (iteration count) header value within a JWE (JSON Web Encryption) token. An attacker can supply an arbitrarily large integer value for this header. When the library attempts to decrypt the JWE using PBKDF2 with a very high iteration count, it consumes excessive CPU cycles and memory resources, as PBKDF2 is computationally intensive. This prolonged resource consumption leads to a denial of service condition for the application or server processing the malicious JWE.
What is the Impact of CGA-hvjw-cqfw-cqf3?
Successful exploitation may allow attackers to cause system instability, degrade performance, or render services unavailable to legitimate users.
What is the Exploitability of CGA-hvjw-cqfw-cqf3?
Exploitation is of low complexity and can be performed remotely. The primary prerequisite is the ability for an attacker to submit a crafted JWE token to an application utilizing the Connect2id Nimbus JOSE+JWT library that processes and decrypts JWEs. No specific authentication or privilege levels are required beyond the ability to interact with the JWE processing endpoint. The attacker needs to control the JWE p2c header value, setting it to a sufficiently large number. The risk of exploitation is increased in applications that accept JWE tokens from untrusted sources without proper validation or limits on the iteration count.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-hvjw-cqfw-cqf3?
Available Upgrade Options
- com.nimbusds:nimbus-jose-jwt
- <9.37.2 → Upgrade to 9.37.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-gvpg-vgmx-xg6w
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526
- https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/
- https://connect2id.com/products/nimbus-jose-jwt
- https://nvd.nist.gov/vuln/detail/CVE-2023-52428
- https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e
- https://bitbucket.org/connect2id/nimbus-jose-jwt
- https://connect2id.com/products/nimbus-jose-jwt
What are Similar Vulnerabilities to CGA-hvjw-cqfw-cqf3?
Similar Vulnerabilities: CVE-2022-42915 , CVE-2021-4122 , CVE-2018-12911 , CVE-2017-9800 , CVE-2016-1000341
