GHSA-3677-xxcr-wjqv
Denial-of-Service (DoS) vulnerability in jose4j (Maven)
What is GHSA-3677-xxcr-wjqv About?
This vulnerability in jose4j allows for a Denial-of-Service condition via a specially crafted JSON Web Encryption (JWE) token. Attackers can create tokens with an exceptionally high compression ratio, leading to significant memory and processing time during decompression. Exploitation occurs by submitting a malicious JWE token to a system that processes it.
Affected Software
Technical Details
The vulnerability in jose4j versions prior to 0.9.5 resides in its handling of JSON Web Encryption (JWE) tokens, specifically during the decompression phase. An attacker can craft a JWE token that leverages an exceptionally high data compression ratio. When such a token is received and processed by the jose4j library for decryption, the decompression algorithm requires disproportionately large amounts of memory and CPU processing time. This resource exhaustion can lead to the application or server experiencing an unresponsive state or crashing, thereby causing a Denial-of-Service.
What is the Impact of GHSA-3677-xxcr-wjqv?
Successful exploitation may allow attackers to disrupt service availability, causing the application to become unresponsive or crash.
What is the Exploitability of GHSA-3677-xxcr-wjqv?
Exploitation has a moderate complexity, requiring knowledge of JWE token structures and the ability to craft tokens that achieve high compression. There are no authentication requirements directly for the exploit, as the attacker merely needs to deliver the malicious JWE token to a system that will attempt to decrypt it. This is typically a remote attack if the application processes JWE tokens from external sources. The primary prerequisite is that the target system uses the vulnerable jose4j library and processes JWE tokens. Risk factors include publicly accessible endpoints that accept and decompress JWE tokens from unverified origins.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-3677-xxcr-wjqv?
Available Upgrade Options
- org.bitbucket.b_c:jose4j
- <0.9.5 → Upgrade to 0.9.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-29371
- https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack
- https://osv.dev/vulnerability/GHSA-3677-xxcr-wjqv
- https://bitbucket.org/b_c/jose4j/commits/19a90a64c47bb07c4aa5462f1316d5c293d81fcf
- https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack
- https://bitbucket.org/b_c/jose4j/wiki/Home
What are Similar Vulnerabilities to GHSA-3677-xxcr-wjqv?
Similar Vulnerabilities: GHSA-h4pw-wxh7-4vjj , CVE-2023-39327 , CVE-2023-39325 , CVE-2022-38706 , CVE-2022-23588
