REDHAT-BUG-2309764: High severity Connect2id Nimbus JOSE+JWT vulnerability

Q: What is the severity of REDHAT-BUG-2309764?

The severity of REDHAT-BUG-2309764 is classified as a denial of service vulnerability.

Q: How do I fix REDHAT-BUG-2309764?

To fix REDHAT-BUG-2309764, update to a version of Connect2id Nimbus JOSE+JWT that is 9.37.2 or later.

Q: What component is affected by REDHAT-BUG-2309764?

The PasswordBasedDecrypter (PBKDF2) component is affected by REDHAT-BUG-2309764.

Q: What type of attack is possible with REDHAT-BUG-2309764?

An attacker can perform a denial of service attack through resource consumption with a large JWE p2c header value.

Q: Which versions of Nimbus JOSE+JWT are vulnerable in REDHAT-BUG-2309764?

Versions of Connect2id Nimbus JOSE+JWT prior to 9.37.2 are vulnerable according to REDHAT-BUG-2309764.

Published Sep 4, 2024

Updated

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Affected Software

1 affected component

Connect2id Nimbus JOSE+JWT<9.37.2

Event History

Sep 4, 2024

Data Sourced

via Red Hat·05:10 PM

DescriptionSeverityAffected Software

Frequently Asked Questions

What is the severity of REDHAT-BUG-2309764?

The severity of REDHAT-BUG-2309764 is classified as a denial of service vulnerability.

How do I fix REDHAT-BUG-2309764?

To fix REDHAT-BUG-2309764, update to a version of Connect2id Nimbus JOSE+JWT that is 9.37.2 or later.

What component is affected by REDHAT-BUG-2309764?

The PasswordBasedDecrypter (PBKDF2) component is affected by REDHAT-BUG-2309764.

What type of attack is possible with REDHAT-BUG-2309764?

An attacker can perform a denial of service attack through resource consumption with a large JWE p2c header value.

Which versions of Nimbus JOSE+JWT are vulnerable in REDHAT-BUG-2309764?