You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
erlang jose
About this tag
The erlang jose tag covers discussions about the JOSE (JSON Object Signing and Encryption) library for Erlang and Elixir, particularly around security vulnerabilities. A key topic is CVE-2023-50966, which affects erlang jose versions through 1.11.6. This vulnerability allows attackers to cause denial of service by supplying maliciously large PBES2 iteration counts (p2c header) during JWE decryption, leading to excessive CPU consumption. The fix was released in version 1.11.7. Microsoft has acknowledged that Azure Linux includes this library and is potentially affected, with plans to update CVE/VEX mappings if other Microsoft products are identified as carriers. The tag is relevant for developers and IT professionals managing Erlang/Elixir environments or Azure Linux deployments.
The erlang-jose library (JOSE for Erlang and Elixir) was assigned CVE-2023-50966 after researchers discovered that maliciously large PBES2 iteration counts (the JOSE header field known as p2c) can be abused to cause excessive CPU consumption during JWE decryption—an attacker-controlled...