CVE-2023-50966: DoS via a large p2c value in a JOSE header #156
Comments
|
We got this reported in one of our builds when doing snyk security scan: https://security.snyk.io/vuln/SNYK-HEX-JOSE-6468183 |
|
@bowlofeggs Thank you for reporting this! This should be fixed in jose 1.11.8 (see changelog). A new setting under 1> JWE = jose_jwe:from_map(#{<<"alg">> => <<"PBES2-HS256+A128KW">>, <<"p2c">> => 10_001, <<"p2s">> => <<>>}).
#jose_jwe{alg = {jose_jwe_alg_pbes2,#jose_jwe_alg_pbes2{hmac = sha256,
salt = <<80,66,69,83,50,45,72,83,50,53,54,43,65,49,50,56,
75,87,0>>,
iter = 10001,wrap = aes_kw,bits = 128,iv = undefined,
tag = undefined}},
enc = undefined,zip = undefined,fields = #{}}
2> jose_jwe:key_encrypt(<<"password">>, <<0:128>>, JWE).
** exception error: bad argument
in function jose_jwe_alg_pbes2:pbkdf2/5
called as jose_jwe_alg_pbes2:pbkdf2({hmac,sha256},
<<"REDACTED">>,
<<80,66,69,83,50,45,72,83,50,53,54,43,65,49,50,56,75,87,0>>,
10001,16)
*** argument 4: maximum PBES2 iterations is set to 10000, but 10001 was attempted (see jose:pbes2_count_maximum/0)
in call from jose_jwe_alg_pbes2:key_encrypt/3 (/build/jose/src/jwe/jose_jwe_alg_pbes2.erl, line 143)
in call from jose_jwe:key_encrypt/3 (/build/jose/src/jwe/jose_jwe.erl, line 327) |
|
@potatosalad This is still showing up as a vulnerability in Snyk even though my version is at |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I noticed that this CVE was published today but I didn't see it reported here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50966
The text was updated successfully, but these errors were encountered: