CVE-2023-51775: Jose4j Jwe Pbes2 Uncapped Dos
An `AlgorithmConstraints` blocklist omits PBES2 algorithms. In versions of jose4j before 0.9.4, JWE tokens with PBES2 algorithms do not restrict the PBKDF2 iteration count (`p2c`). An attacker can cause a Denial of Service (CPU exhaustion) by supplying a maliciously large iteration count. Explicitly block PBES2 algorithms or use `ConstraintType.PERMIT` to re
Javaβgreprules fetch cve-2023-51775-jose4j-jwe-pbes2-uncapped-dos --engine opengrepDescription
An `AlgorithmConstraints` blocklist omits PBES2 algorithms. In versions of jose4j before 0.9.4, JWE tokens with PBES2 algorithms do not restrict the PBKDF2 iteration count (`p2c`). An attacker can cause a Denial of Service (CPU exhaustion) by supplying a maliciously large iteration count. Explicitly block PBES2 algorithms or use `ConstraintType.PERMIT` to re
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0