-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-50966: DoS via a large p2c value in a JOSE header #156
Comments
We got this reported in one of our builds when doing snyk security scan: https://security.snyk.io/vuln/SNYK-HEX-JOSE-6468183 |
@bowlofeggs Thank you for reporting this! This should be fixed in jose 1.11.8 (see changelog). A new setting under 1> JWE = jose_jwe:from_map(#{<<"alg">> => <<"PBES2-HS256+A128KW">>, <<"p2c">> => 10_001, <<"p2s">> => <<>>}).
#jose_jwe{alg = {jose_jwe_alg_pbes2,#jose_jwe_alg_pbes2{hmac = sha256,
salt = <<80,66,69,83,50,45,72,83,50,53,54,43,65,49,50,56,
75,87,0>>,
iter = 10001,wrap = aes_kw,bits = 128,iv = undefined,
tag = undefined}},
enc = undefined,zip = undefined,fields = #{}}
2> jose_jwe:key_encrypt(<<"password">>, <<0:128>>, JWE).
** exception error: bad argument
in function jose_jwe_alg_pbes2:pbkdf2/5
called as jose_jwe_alg_pbes2:pbkdf2({hmac,sha256},
<<"REDACTED">>,
<<80,66,69,83,50,45,72,83,50,53,54,43,65,49,50,56,75,87,0>>,
10001,16)
*** argument 4: maximum PBES2 iterations is set to 10000, but 10001 was attempted (see jose:pbes2_count_maximum/0)
in call from jose_jwe_alg_pbes2:key_encrypt/3 (/build/jose/src/jwe/jose_jwe_alg_pbes2.erl, line 143)
in call from jose_jwe:key_encrypt/3 (/build/jose/src/jwe/jose_jwe.erl, line 327) |
@potatosalad This is still showing up as a vulnerability in Snyk even though my version is at |
I noticed that this CVE was published today but I didn't see it reported here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50966
The text was updated successfully, but these errors were encountered: