CVE-2024-28180

EUVD-2024-0896
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Data Amplification
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
Affected Products (NVD)
VendorProductVersion
go-jose_projectgo-jose
2.0.0 ≤
𝑥
< 2.6.3
go-jose_projectgo-jose
3.0.0 ≤
𝑥
< 3.0.3
go-jose_projectgo-jose
4.0.0 ≤
𝑥
< 4.0.1
fedoraprojectfedora
38 ≤
𝑥
≤ 40
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
go-jose_projectgo-jose
𝑥
< 4.0.1
ADP
go-jose_projectgo-jose
𝑥
< 3.0.3
ADP
go-jose_projectgo-jose
𝑥
< 2.6.3
ADP
Debian logo
Debian Releases
Debian Product
Codename
golang-github-go-jose-go-jose
bookworm
no-dsa
bullseye
no-dsa
forky
4.0.5-1
fixed
sid
4.0.5-1
fixed
trixie
4.0.5-1
fixed
golang-gopkg-square-go-jose.v2
bookworm
no-dsa
bullseye
no-dsa
forky
2.6.3-3
fixed
sid
2.6.3-3
fixed
trixie
2.6.3-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-go-jose-go-jose
focal
dne
jammy
dne
mantic
dne
noble
not-affected
oracular
not-affected
plucky
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
buildah
suse enterprise sap 15 SP5
1.35.4-150500.3.10.1
fixed
suse enterprise sap 15 SP6
1.35.4-150500.3.10.1
fixed
suse enterprise sap 15 SP7
1.35.4-150500.3.10.1
fixed
suse enterprise server 15 SP3
1.35.4-150300.8.25.1
fixed
suse enterprise server 15 SP4
1.35.4-150400.3.30.1
fixed
suse enterprise server 15 SP5
1.35.4-150500.3.10.1
fixed
suse enterprise server 15 SP6
1.35.4-150500.3.10.1
fixed
suse enterprise server 15 SP7
1.35.4-150500.3.10.1
fixed
libgpg-error-devel
suse enterprise server 15 SP2
1.29-150000.3.3.1
fixed
libgpg-error0
suse enterprise server 15 SP2
1.29-150000.3.3.1
fixed
libgpg-error0-32bit
suse enterprise server 15 SP2
1.29-150000.3.3.1
fixed
skopeo
suse enterprise desktop 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP2
1.14.4-150000.4.26.1
fixed
suse enterprise server 15 SP3
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP4
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.11.1
fixed
skopeo-bash-completion
suse enterprise desktop 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.11.1
fixed
skopeo-zsh-completion
suse enterprise desktop 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise desktop 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise sap 15 SP7
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP6
1.14.4-150300.11.11.1
fixed
suse enterprise server 15 SP7
1.14.4-150300.11.11.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
buildah
RHEL 9
2:1.33.7-2.el9_4
fixed
buildah-tests
RHEL 9
2:1.33.7-2.el9_4
fixed
podman
RHEL 9
4:4.9.4-4.el9_4
fixed
podman-docker
RHEL 9
4:4.9.4-4.el9_4
fixed
podman-plugins
RHEL 9
4:4.9.4-4.el9_4
fixed
podman-remote
RHEL 9
4:4.9.4-4.el9_4
fixed
podman-tests
RHEL 9
4:4.9.4-4.el9_4
fixed
skopeo
RHEL 9
2:1.14.3-2.el9_4
fixed
skopeo-tests
RHEL 9
2:1.14.3-2.el9_4
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
nerdctl
Amazon Linux 2
0:1.7.6-1.amzn2.0.1
fixed
Amazon Linux 2023
0:1.7.6-1.amzn2023.0.1
fixed
nerdctl-debuginfo
Amazon Linux 2
0:1.7.6-1.amzn2.0.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
buildah
Azure Linux 3.0
0:1.41.4-2.azl3
fixed
cert-manager
Azure Linux 3.0
0:1.12.12-1.azl3
fixed
CBL-Mariner 2.0
0:1.11.2-14.cm2
fixed
containerd
Azure Linux 3.0
0:1.7.13-6.azl3
fixed
containerized-data-importer
Azure Linux 3.0
0:1.57.0-9.azl3
fixed
CBL-Mariner 2.0
0:1.55.0-20.cm2
fixed
cri-o
CBL-Mariner 2.0
0:1.21.7-2.cm2
fixed
dcos-cli
Azure Linux 3.0
0:1.2.0-16.azl3
fixed
CBL-Mariner 2.0
0:1.2.0-19.cm2
fixed
influxdb
Azure Linux 3.0
0:2.7.3-9.azl3
fixed
CBL-Mariner 2.0
0:2.6.1-20.cm2
fixed
keda
Azure Linux 3.0
0:2.14.0-1.azl3
fixed
CBL-Mariner 2.0
0:2.4.0-26.cm2
fixed
kube-vip-cloud-provider
CBL-Mariner 2.0
0:0.0.2-19.cm2
fixed
kubernetes
Azure Linux 3.0
0:1.30.1-1.azl3
fixed
CBL-Mariner 2.0
0:0.0.0.cm2
fixed
moby-containerd
CBL-Mariner 2.0
0:1.6.26-9.cm2
fixed
moby-containerd-cc
Azure Linux 3.0
0:1.7.7-6.azl3
fixed
CBL-Mariner 2.0
0:1.7.7-9.cm2
fixed
packer
Azure Linux 3.0
0:1.9.5-6.azl3
fixed
CBL-Mariner 2.0
0:1.9.5-8.cm2
fixed
podman
Azure Linux 3.0
0:5.6.1-2.azl3
fixed
rook
CBL-Mariner 2.0
0:1.6.2-23.cm2
fixed
skopeo
Azure Linux 3.0
0:1.14.4-1.azl3
fixed
CBL-Mariner 2.0
0:1.14.2-9.cm2
fixed
telegraf
Azure Linux 3.0
0:1.31.0-1.azl3
fixed
CBL-Mariner 2.0
0:1.29.4-8.cm2
fixed
References