CVE-2024-29370
Last modified
CVE-2024-29370 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.. EPSS estimates a 0.17% chance of exploitation in the next 30 days.
Description
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Python-Jose Project | Python-Jose | 3.3.0 |
References
- https://github.com/mpdavis/python-jose/issues/344Exploit, Issue Tracking, Patch
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-29370?
How severe is CVE-2024-29370?
How do I fix CVE-2024-29370?
Are you affected by CVE-2024-29370?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST