CVE-2024-28102

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions jwcrypto versions prior to 1.5.6

Description The issue is related to an uncontrolled resource consumption in the jwcrypto library. An attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time.

Recommendations For versions prior to 1.5.6, to mitigate this vulnerability, it is recommended to limit the maximum token length to 250K. As a temporary workaround, consider restricting the processing of tokens with high compression ratios until a patch is available. Update to version 1.5.6 or later to fix the vulnerability.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

ALSA-2024:2559

ALSA-2024_2559

AZL-43360

AZL-43366

BDU:2024-01978

CESA-2024_3267

CVE-2024-28102

DLA-3883-1

GHSA-J857-7RVV-VJ97

INFSA-2024_2559

INFSA-2024_3267

OESA-2024-2443

OESA-2024-2444

OESA-2025-1163

OPENSUSE-SU-2024:13798-1

RHSA-2024:2559

RHSA-2024:3267

RHSA-2024:4522

RHSA-2024_2559

RHSA-2024_3267

RLSA-2024:2559

RLSA-2024:3267

Affected Products

Almalinux

Astra Linux

Centos

Red Hat

Red Os

Rocky Linux

Jwcrypto

CVE-2024-28102

Weakness Enumeration

Related Identifiers

Affected Products

References · 47