CVE-2023-6681

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions JWCrypto (affected versions not specified)

Description A flaw was found in JWCrypto, allowing an attacker to cause a denial of service (DoS) attack and making password brute-force and dictionary attacks more resource-intensive. This issue results in a large amount of computational consumption, leading to a denial of service attack. The vulnerability affects applications that use the PBKDF2 algorithm.

Recommendations To resolve the issue, applications that do not need to use PBKDF2 should exclude it from the list of algorithms. Applications that need to use the algorithm should upgrade to the new version that allows setting a maximum number of rounds. As a temporary workaround, consider setting the maximum number of default rounds to prevent excessive computational consumption.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2024:9281

AZL-43006

AZL-43009

BDU:2025-16171

CESA-2024_3267

CVE-2023-6681

GHSA-CW2R-4P82-QV79

INFSA-2024_3267

INFSA-2024_9281

OESA-2024-1195

OESA-2024-1196

OESA-2024-1197

PYSEC-2024-104

RHSA-2024:3267

RHSA-2024:9281

RHSA-2024_3267

RHSA-2024_9281

RLSA-2024:3267

RLSA-2024:9281

Affected Products

Almalinux

Centos

Debian

Jwcrypto

Red Hat

Red Os

Rocky Linux

CVE-2023-6681

Weakness Enumeration

Related Identifiers

Affected Products

References · 43