REDHAT-BUG-2309764
First published: Wed Sep 04 2024(Updated: )
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Connect2id Nimbus JOSE+JWT | <9.37.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of REDHAT-BUG-2309764?
The severity of REDHAT-BUG-2309764 is classified as a denial of service vulnerability.
How do I fix REDHAT-BUG-2309764?
To fix REDHAT-BUG-2309764, update to a version of Connect2id Nimbus JOSE+JWT that is 9.37.2 or later.
What component is affected by REDHAT-BUG-2309764?
The PasswordBasedDecrypter (PBKDF2) component is affected by REDHAT-BUG-2309764.
What type of attack is possible with REDHAT-BUG-2309764?
An attacker can perform a denial of service attack through resource consumption with a large JWE p2c header value.
Which versions of Nimbus JOSE+JWT are vulnerable in REDHAT-BUG-2309764?
Versions of Connect2id Nimbus JOSE+JWT prior to 9.37.2 are vulnerable according to REDHAT-BUG-2309764.
- agent/severity
- agent/type
- agent/first-publish-date
- agent/event
- agent/description
- agent/last-modified-date
- agent/references
- agent/source
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-52428
- vendor/connect2id
- canonical/connect2id nimbus jose+jwt