Bugzilla – Bug 1223422
VUL-0: CVE-2024-33664: python-python-jose: denial of service via decoding of a JSON Web Encryption (JWE ) token with a high compression ratio
Last modified: 2024-06-03 19:04:51 UTC
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-33664 https://www.cve.org/CVERecord?id=CVE-2024-33664 https://github.com/mpdavis/python-jose/issues/344 https://github.com/mpdavis/python-jose/pull/345 https://bugzilla.redhat.com/show_bug.cgi?id=2277300
These versions are not affected: - openSUSE:Backports:SLE-15-SP4/python-python-jose - openSUSE:Backports:SLE-15-SP5/python-python-jose The version there is 3.0.1 and the jwe implementation was added in 3.3.0.
This is an autogenerated message for OBS integration: This bug (1223422) was mentioned in https://build.opensuse.org/request/show/1172135 Factory / python-python-jose
Request created for all supported codestreams
This is an autogenerated message for OBS integration: This bug (1223422) was mentioned in https://build.opensuse.org/request/show/1178245 Factory / python-python-jose
This is an autogenerated message for OBS integration: This bug (1223422) was mentioned in https://build.opensuse.org/request/show/1178251 Backports:SLE-15-SP5 / python-python-jose
openSUSE-SU-2024:0149-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1223422 CVE References: CVE-2024-33664 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): python-python-jose-3.0.1-bp155.3.6.1