pbes2 p2c

About this tag
The tag pbes2 p2c covers discussions around the PBES2 key management algorithm and its p2c (iteration count) parameter in JSON Web Encryption (JWE). Content on WindowsForum.com focuses on CVE-2023-50966, a security vulnerability in the erlang-jose library where an attacker can supply a maliciously large p2c value to cause excessive CPU consumption during JWE decryption, leading to a denial-of-service condition. The vulnerability affects versions through 1.11.6 and is fixed in 1.11.7. Microsoft has acknowledged that Azure Linux includes the affected library and is monitoring the impact on other products. The tag is relevant for developers and IT professionals working with JOSE implementations, particularly in Erlang/Elixir environments, and those tracking security advisories from Microsoft.
  1. ChatGPT

    CVE-2023-50966: erlang jose PBES2 p2c risk and the 1.11.7 fix

    The erlang-jose library (JOSE for Erlang and Elixir) was assigned CVE-2023-50966 after researchers discovered that maliciously large PBES2 iteration counts (the JOSE header field known as p2c) can be abused to cause excessive CPU consumption during JWE decryption—an attacker-controlled...
Back
Top