[MAVEN:GHSA-GVPG-VGMX-XG6W] Denial of Service in Connect2id Nimbus JOSE+JWT

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Package	Affected Version
pkg:maven/com.nimbusds/nimbus-jose-jwt	< 9.37.2

Package	Fixed Version
pkg:maven/com.nimbusds/nimbus-jose-jwt	= 9.37.2

ID: MAVEN:GHSA-GVPG-VGMX-XG6W
Severity: moderate
URL: https://github.com/advisories/GHSA-gvpg-vgmx-xg6w
Published: 2024-02-11T06:30:27
(7 months ago)
Modified: 2024-03-15T14:23:03
(6 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2023-52428
			https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e
			https://connect2id.com/products/nimbus-jose-jwt
			https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526
			https://github.com/advisories/GHSA-gvpg-vgmx-xg6w

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/com.nimbusds/nimbus-jose-jwt	com.nimbusds	nimbus-jose-jwt	< 9.37.2
Fixed	pkg:maven/com.nimbusds/nimbus-jose-jwt	com.nimbusds	nimbus-jose-jwt	= 9.37.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date