In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
History

Wed, 06 Nov 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat jboss Enterprise Application Platform
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:8.0
cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
Vendors & Products Redhat jboss Enterprise Application Platform

Wed, 30 Oct 2024 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 16 Oct 2024 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Connect2id
Connect2id nimbus Jose\+jwt
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:connect2id:nimbus_jose\+jwt:*:*:*:*:*:*:*:*
Vendors & Products Connect2id
Connect2id nimbus Jose\+jwt

Tue, 15 Oct 2024 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:apache_camel_spring_boot:4.4.3

Thu, 19 Sep 2024 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat apache Camel Spring Boot
CPEs cpe:/a:redhat:apache_camel_spring_boot:3.20.7
Vendors & Products Redhat
Redhat apache Camel Spring Boot

Fri, 06 Sep 2024 14:00:00 +0000

Type Values Removed Values Added
Title nimbus-jose-jwt: large JWE p2c header value causes Denial of Service
Weaknesses CWE-400
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-02-11T00:00:00

Updated: 2024-10-30T19:50:55.784Z

Reserved: 2024-02-11T00:00:00

Link: CVE-2023-52428

cve-icon Vulnrichment

Updated: 2024-08-02T22:55:41.674Z

cve-icon NVD

Status : Modified

Published: 2024-02-11T05:15:08.383

Modified: 2024-11-21T08:39:43.963

Link: CVE-2023-52428

cve-icon Redhat

Severity : Important

Publid Date: 2024-02-11T00:00:00Z

Links: CVE-2023-52428 - Bugzilla