okta-sdk-golang v2.20.0, high risk vulnerabilities with go.jose dependency #424
Comments
|
This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the |
|
This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the |
|
This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug?
Detailed paths
Introduced through: github.com/okta/okta-sdk-golang@v2.20.0 › github.com/go-jose/go-jose@v3.0.1
Security information
Factors contributing to the scoring:
Snyk: CVSS 7.5 - High Severity
NVD: NVD only publishes analysis of vulnerabilities which are assigned a CVE ID. This vulnerability currently does not have an assigned CVE ID.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) when decrypting JWE inputs. An attacker can cause a denial-of-service by providing a PBES2 encrypted JWE blob with a very large p2c value.
What is expected to happen?
We are considering OKTA to release an stable version with the fix for this findings.
What is the actual behavior?
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) when decrypting JWE inputs. An attacker can cause a denial-of-service by providing a PBES2 encrypted JWE blob with a very large p2c value.
Reproduction Steps?
This vulnerabilities dependency was identified from OKTA library we are using.
Additional Information?
No response
Golang Version
1.21.4
SDK Version
OS version
No response
The text was updated successfully, but these errors were encountered: