CVE-2024-29371
CVE-2024-29371
In short
jose4j library before version 0.9.6 is vulnerable to a denial-of-service attack when processing specially crafted encrypted tokens that use extreme compression. An attacker can send these malicious tokens to make the server consume excessive memory and CPU, potentially crashing it or making it unresponsive.
Technical detail
CVE-2024-29371 exploits insufficient resource validation during JWE decompression in jose4j <0.9.6. An attacker crafts a JWE token with an exceptionally high compression ratio; when the server decompresses it, the algorithm expands to consume massive memory and processing time, triggering DoS. No authentication is required if the application processes untrusted JWE tokens.
Summary generated and translated by AI from the official description.
In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →