fix(deps): update go-jose to version 4.0.2 to fix vulnerability #344

panapol-p · 2024-06-12T11:54:44Z

GO-2024-2631: Decompression bomb vulnerability in github.com/go-jose/go-jose

Cxb6dee8d5-b814, Score: 7.5

The go-jose package is subject to a "billion hashes attack" causing Denial-of-Service (DOS) in versions prior to 3.0.1 when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a Denial-of-Service (DOS).

Read More: https://devhub.checkmarx.com/cve-details/Cxb6dee8d5-b814?utm_source=jetbrains&utm_medium=referral

panapol-p · 2024-06-17T09:04:44Z

waiting for next release
ref : #345 (review)

panapol-p mentioned this issue Jun 12, 2024

fix(deps): update go-jose to version 4.0.2 to fix vulnerability #345

Closed

13 tasks

panapol-p changed the title ~~fix(deps): update go-jose to version 3.0.1 to fix vulnerability~~ fix(deps): update go-jose to version 4.0.2 to fix vulnerability Jun 12, 2024

hifabienne linked a pull request Jun 12, 2024 that will close this issue

fix(deps): update go-jose to version 4.0.2 to fix vulnerability #345

Closed

13 tasks

panapol-p closed this as completed Jun 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update go-jose to version 4.0.2 to fix vulnerability #344

fix(deps): update go-jose to version 4.0.2 to fix vulnerability #344

panapol-p commented Jun 12, 2024

panapol-p commented Jun 17, 2024

fix(deps): update go-jose to version 4.0.2 to fix vulnerability #344

fix(deps): update go-jose to version 4.0.2 to fix vulnerability #344

Comments

panapol-p commented Jun 12, 2024

panapol-p commented Jun 17, 2024