CVE-2024-33664

CVSS v2.0

6.1

Medium

Vector

AV:N/AC:L/Au:M/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions python-jose versions 3.3.0 and earlier

Description The issue is related to high resource consumption during the decoding of a crafted JSON Web Encryption (JWE) token, which can be exploited by a remote attacker to cause a denial of service. This is also known as a "JWT bomb" due to the high compression ratio of the token.

Recommendations For python-jose versions 3.3.0 and earlier, as a temporary workaround, consider restricting the use of the JWE token decoding function until a patch is available. Avoid using the decode function with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

BDU:2024-04682

CVE-2024-33664

ECHO-BCFA-BE1B-CAFD

GHSA-CJWG-QFPM-7377

OPENSUSE-SU-2024:0149-1

OPENSUSE-SU-2024:13928-1

PYSEC-2024-233

Affected Products

Debian

Red Os

Python-Jose

CVE-2024-33664

Weakness Enumeration

Related Identifiers

Affected Products

References · 26