CVE-2024-28180

EUVD-2024-0896
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Data Amplification
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 89%
Affected Products (NVD)
VendorProductVersion
go-jose_projectgo-jose
2.0.0 ≤
𝑥
< 2.6.3
go-jose_projectgo-jose
3.0.0 ≤
𝑥
< 3.0.3
go-jose_projectgo-jose
4.0.0 ≤
𝑥
< 4.0.1
fedoraprojectfedora
38 ≤
𝑥
≤ 40
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
go-jose_projectgo-jose
𝑥
< 4.0.1
ADP
go-jose_projectgo-jose
𝑥
< 3.0.3
ADP
go-jose_projectgo-jose
𝑥
< 2.6.3
ADP
Debian logo
Debian Releases
Debian Product
Codename
golang-github-go-jose-go-jose
bookworm
no-dsa
bullseye
no-dsa
forky
4.0.5-1
fixed
sid
4.0.5-1
fixed
trixie
4.0.5-1
fixed
golang-gopkg-square-go-jose.v2
bookworm
no-dsa
bullseye
no-dsa
forky
2.6.3-3
fixed
sid
2.6.3-3
fixed
trixie
2.6.3-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-go-jose-go-jose
focal
dne
jammy
dne
mantic
dne
noble
not-affected
oracular
not-affected
plucky
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
buildah
suse enterprise sap 15 SP5
1.35.4-150500.3.10.1
fixed
suse enterprise sap 15 SP6
1.35.4-150500.3.10.1
fixed
suse enterprise sap 15 SP7
1.35.4-150500.3.10.1
fixed
suse enterprise server 15 SP3
1.35.4-150300.8.25.1
fixed
suse enterprise server 15 SP4
1.35.4-150400.3.30.1
fixed
suse enterprise server 15 SP5
1.35.4-150500.3.10.1
fixed
suse enterprise server 15 SP6
1.35.4-150500.3.10.1
fixed
suse enterprise server 15 SP7
1.35.4-150500.3.10.1
fixed
libgpg-error-devel
suse enterprise server 15 SP2
1.29-150000.3.3.1
fixed
libgpg-error0
suse enterprise server 15 SP2
1.29-150000.3.3.1
fixed
libgpg-error0-32bit
suse enterprise server 15 SP2
1.29-150000.3.3.1
fixed
skopeo
suse enterprise desktop 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP2
1.14.4-150000.4.26.1
fixed
suse enterprise server 15 SP3
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP4
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.11.1
fixed
skopeo-bash-completion
suse enterprise desktop 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.11.1
fixed
skopeo-zsh-completion
suse enterprise desktop 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.11.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
buildah
RHEL 9
2:1.33.7-2.el9_4
fixed
buildah-tests
RHEL 9
2:1.33.7-2.el9_4
fixed
podman
RHEL 9
4:4.9.4-4.el9_4
fixed
podman-docker
RHEL 9
4:4.9.4-4.el9_4
fixed
podman-plugins
RHEL 9
4:4.9.4-4.el9_4
fixed
podman-remote
RHEL 9
4:4.9.4-4.el9_4
fixed
podman-tests
RHEL 9
4:4.9.4-4.el9_4
fixed
skopeo
RHEL 9
2:1.14.3-2.el9_4
fixed
skopeo-tests
RHEL 9
2:1.14.3-2.el9_4
fixed
Common Weakness Enumeration
References
https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/
https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/