CVE-2023-52428 - Vulnerability Details

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Connect2id	Nimbus Jose\+jwt
Redhat	Amq Streams Apache Camel Spring Boot Jboss Enterprise Application Platform

Configuration 1 [-]

cpe:2.3:a:connect2id:nimbus_jose\+jwt:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat build of Apache Camel 3.20.7 for Spring Boot
com.nimbusds/nimbus-jose-jwt	cpe:/a:redhat:apache_camel_spring_boot:3.20.7	RHSA-2024:6883	2024-09-19T00:00:00Z
Red Hat build of Apache Camel 4.4.3 for Spring Boot
com.nimbusds/nimbus-jose-jwt	cpe:/a:redhat:apache_camel_spring_boot:4.4.3	RHSA-2024:8064	2024-10-14T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8
com.nimbusds/nimbus-jose-jwt	cpe:/a:redhat:jboss_enterprise_application_platform:8.0	RHSA-2024:8826	2024-11-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-hppc-0:0.8.1-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jctools-0:4.0.2-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-log4j-0:2.22.1-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-slf4j-0:2.0.16-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:8823	2024-11-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-hppc-0:0.8.1-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jctools-0:4.0.2-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-log4j-0:2.22.1-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-slf4j-0:2.0.16-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:8824	2024-11-04T00:00:00Z
Streams for Apache Kafka 2.9.0
	cpe:/a:redhat:amq_streams:2	RHSA-2025:2416	2025-03-05T00:00:00Z

References

Link	Providers
https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/
https://connect2id.com/products/nimbus-jose-jwt
https://nvd.nist.gov/vuln/detail/CVE-2023-52428
https://www.cve.org/CVERecord?id=CVE-2023-52428

History

Thu, 06 Mar 2025 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat amq Streams
CPEs		cpe:/a:redhat:amq_streams:2
Vendors & Products		Redhat amq Streams

Wed, 06 Nov 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:8.0 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
Vendors & Products		Redhat jboss Enterprise Application Platform

Wed, 30 Oct 2024 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 16 Oct 2024 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Connect2id Connect2id nimbus Jose\+jwt
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:connect2id:nimbus_jose\+jwt::::::::
Vendors & Products		Connect2id Connect2id nimbus Jose\+jwt

Tue, 15 Oct 2024 02:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:apache_camel_spring_boot:4.4.3

Thu, 19 Sep 2024 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat apache Camel Spring Boot
CPEs		cpe:/a:redhat:apache_camel_spring_boot:3.20.7
Vendors & Products		Redhat Redhat apache Camel Spring Boot

Fri, 06 Sep 2024 14:00:00 +0000

Type	Values Removed	Values Added
Title		nimbus-jose-jwt: large JWE p2c header value causes Denial of Service
Weaknesses		CWE-400
References		https://nvd.nist.gov/vuln/detail/CVE-2023-52428 https://www.cve.org/CVERecord?id=CVE-2023-52428
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Important`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-02-11T00:00:00

Updated: 2024-10-30T19:50:55.784Z

Reserved: 2024-02-11T00:00:00

Link: CVE-2023-52428

Vulnrichment

Updated: 2024-08-02T22:55:41.674Z

NVD

Status : Modified

Published: 2024-02-11T05:15:08.383

Modified: 2024-11-21T08:39:43.963

Link: CVE-2023-52428

Redhat

Severity : Important

Publid Date: 2024-02-11T00:00:00Z

Links: CVE-2023-52428 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-52428", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-30T19:50:55.784Z", "dateReserved": "2024-02-11T00:00:00", "datePublished": "2024-02-11T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-02-11T04:43:14.335876"}, "descriptions": [{"lang": "en", "value": "In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/"}, {"url": "https://connect2id.com/products/nimbus-jose-jwt"}, {"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-770", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-30T19:49:39.428104Z", "id": "CVE-2023-52428", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-30T19:50:55.784Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:55:41.674Z"}, "title": "CVE Program Container", "references": [{"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/", "tags": ["x_transferred"]}, {"url": "https://connect2id.com/products/nimbus-jose-jwt", "tags": ["x_transferred"]}, {"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/", "tags": ["x_transferred"]}, {"url": "https://connect2id.com/products/nimbus-jose-jwt", "tags": ["x_transferred"]}, {"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:55:41.674Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-52428", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-30T19:49:39.428104Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:11.753Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/"}, {"url": "https://connect2id.com/products/nimbus-jose-jwt"}, {"url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e"}], "descriptions": [{"lang": "en", "value": "In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-02-11T04:43:14.335876"}}}, "cveMetadata": {"cveId": "CVE-2023-52428", "state": "PUBLISHED", "dateUpdated": "2024-10-30T19:50:55.784Z", "dateReserved": "2024-02-11T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-02-11T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:connect2id:nimbus_jose\\+jwt:*:*:*:*:*:*:*:*", "matchCriteriaId": "B33B5D00-0BBE-409A-B453-E9124F17CF99", "versionEndExcluding": "9.37.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component."}, {"lang": "es", "value": "En Connect2id Nimbus JOSE+JWT anterior a 9.37.2, un atacante puede provocar una denegaci\u00f3n de servicio (consumo de recursos) a trav\u00e9s de un valor de encabezado JWE p2c grande (tambi\u00e9n conocido como recuento de iteraciones) para el componente PasswordBasedDecrypter (PBKDF2)."}], "id": "CVE-2023-52428", "lastModified": "2024-11-21T08:39:43.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-02-11T05:15:08.383", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://connect2id.com/products/nimbus-jose-jwt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://connect2id.com/products/nimbus-jose-jwt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6883", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:3.20.7", "package": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apache Camel 3.20.7 for Spring Boot", "release_date": "2024-09-19T00:00:00Z"}, {"advisory": "RHSA-2024:8064", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.3", "package": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apache Camel 4.4.3 for Spring Boot", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8826", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-hppc-0:0.8.1-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jctools-0:4.0.2-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-log4j-0:2.22.1-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-slf4j-0:2.0.16-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8823", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-activemq-artemis-0:2.33.0-1.redhat_00015.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-activemq-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-aesh-extensions-0:1.8.0-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-aesh-readline-0:2.2.0-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-codec-0:1.16.1-2.redhat_00007.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-collections-0:3.2.2-28.redhat_2.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-io-0:2.15.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-commons-lang-0:3.14.0-2.redhat_00006.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-apache-cxf-0:4.0.5-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-artemis-native-1:2.0.0-2.redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-artemis-wildfly-integration-0:2.0.1-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-asyncutil-0:0.1.0-2.redhat_00010.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-aws-java-sdk-0:1.12.284-2.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-cryptacular-0:1.2.5-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-eap-product-conf-parent-0:800.4.0-1.GA_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-fastinfoset-0:2.1.0-4.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hibernate-0:6.2.31-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hibernate-validator-0:8.0.1-3.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hppc-0:0.8.1-2.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-insights-java-client-0:1.1.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jakarta-servlet-jsp-jstl-api-0:3.0.1-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-cert-helper-0:1.1.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-logging-0:3.5.3-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jctools-0:4.0.2-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jgroups-0:5.3.10-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-log4j-0:2.22.1-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-narayana-0:6.0.3-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-nimbus-jose-jwt-0:9.37.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-objectweb-asm-0:9.6.0-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-pem-keystore-0:2.3.0-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-resteasy-extensions-0:2.0.1-3.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-resteasy-spring-0:3.0.1-2.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-saaj-impl-0:3.0.4-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-shibboleth-java-support-0:8.0.0-6.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-slf4j-0:2.0.16-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-snakeyaml-0:2.2.0-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8824", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-0:8.0.4-2.GA_redhat_00005.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2025:2416", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Streams for Apache Kafka 2.9.0", "release_date": "2025-03-05T00:00:00Z"}], "bugzilla": {"description": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service", "id": "2309764", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.", "A vulnerability was found in the Nimbus Jose JWT package. This issue could allow an attacker to use a malicious large JWE p2c header value for PasswordBasedDecrypter and cause a Denial of Service (DoS)."], "name": "CVE-2023-52428", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Will not fix", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Will not fix", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Will not fix", "package_name": "com.nimbusds/nimbus-jose-jwt", "product_name": "streams for Apache Kafka"}], "public_date": "2024-02-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52428\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52428"], "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object