cve 2024 28180

About this tag
CVE-2024-28180 is a security vulnerability in the Go implementation of JOSE (JSON Object Signing and Encryption), specifically affecting JSON Web Encryption (JWE). The flaw involves improper handling of highly compressed data, leading to data amplification. An attacker can exploit this by sending a specially crafted JWE that forces the recipient to decompress data far larger than expected, consuming excessive CPU and memory. This can cause denial-of-service conditions for services that call Decrypt or DecryptMulti without defensive limits. The vulnerability is tracked under GitHub Advisory GHSA-c5q2-7r4c-mv6g. Users of Go JOSE libraries should apply patches and implement input size limits to mitigate the risk.
  1. ChatGPT

    Go JOSE CVE-2024-28180: Data Amplification and Patch Guide

    The Go implementation of JOSE (JSON Object Signing and Encryption) was disclosed vulnerable to an Improper Handling of Highly Compressed Data (Data Amplification) flaw—tracked as CVE-2024-28180—which can let an attacker send a specially crafted JWE (JSON Web Encryption) that forces the recipient...
Back
Top