Bug 1223422 (CVE-2024-33664)

Summary: VUL-0: CVE-2024-33664: python-python-jose: denial of service via decoding of a JSON Web Encryption (JWE ) token with a high compression ratio
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: camila.matos, daniel.garcia, mcepl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/403210/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-33664:7.7:(AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-26 11:21:20 UTC 
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-33664
https://www.cve.org/CVERecord?id=CVE-2024-33664
https://github.com/mpdavis/python-jose/issues/344
https://github.com/mpdavis/python-jose/pull/345
https://bugzilla.redhat.com/show_bug.cgi?id=2277300
Comment 4 Daniel Garcia 2024-05-06 09:37:14 UTC 
These versions are not affected:
- openSUSE:Backports:SLE-15-SP4/python-python-jose
- openSUSE:Backports:SLE-15-SP5/python-python-jose

The version there is 3.0.1 and the jwe implementation was added in 3.3.0.
Comment 5 OBSbugzilla Bot 2024-05-06 09:55:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1223422) was mentioned in
https://build.opensuse.org/request/show/1172135 Factory / python-python-jose
Comment 7 Daniel Garcia 2024-05-06 10:19:00 UTC 
Request created for all supported codestreams
Comment 12 OBSbugzilla Bot 2024-06-03 08:25:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1223422) was mentioned in
https://build.opensuse.org/request/show/1178245 Factory / python-python-jose
Comment 14 OBSbugzilla Bot 2024-06-03 09:05:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1223422) was mentioned in
https://build.opensuse.org/request/show/1178251 Backports:SLE-15-SP5 / python-python-jose
Comment 15 Marcus Meissner 2024-06-03 19:04:51 UTC 
openSUSE-SU-2024:0149-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1223422
CVE References: CVE-2024-33664
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    python-python-jose-3.0.1-bp155.3.6.1