Resource exhaustion in Nimbus JOSE+JWT

#VU87615 Resource exhaustion in Nimbus JOSE+JWT

Published: 2024-03-19

Vulnerability identifier: #VU87615

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-52428

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Nimbus JOSE+JWT
Universal components / Libraries / Libraries used by multiple products

Vendor:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. A remote attacker can send a specially crafted request using a large JWE p2c header, trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/
http://connect2id.com/products/nimbus-jose-jwt
http://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Jira Service Management Data Center and Server update for Nimbus JOSE+JWT

Multiple vulnerabilities in Oracle WebLogic Server

Multiple vulnerabilities in Primavera Unifier

Resource exhaustion in IBM Sterling Connect:Direct for UNIX

Resource exhaustion in IBM Sterling Connect:Direct for Microsoft Windows