CVE-2024-29370

EUVD-2024-26380
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
Data Amplification
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA-ADPADP
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
Affected Products (NVD)
VendorProductVersion
python-jose_projectpython-jose
3.3.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-jose
bookworm
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-jose
jammy
needs-triage
noble
needs-triage
plucky
dne
questing
dne
Common Weakness Enumeration
References
https://github.com/mpdavis/python-jose/issues/344