CVE-2024-28102
Description
RHSA-2024:3267: idm:DL1 and idm:client security update (Moderate)
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description python-jwcrypto: malicious JWE token can cause denial of service Red Hat statement The CVE-2024-28102 vulnerability in JWCrypto represents a moderate severity issue due to its potential impact on system availability and resource consumption. While the vulnerability allows for a denial of service (DoS) attack, it requires an attacker to craft a malicious JWE Token with a highโฆ
Description
python-jwcrypto: malicious JWE token can cause denial of service
Red Hat statement
The CVE-2024-28102 vulnerability in JWCrypto represents a moderate severity issue due to its potential impact on system availability and resource consumption. While the vulnerability allows for a denial of service (DoS) attack, it requires an attacker to craft a malicious JWE Token with a high compression ratio. This specific condition limits the practical exploitability of the vulnerability to some extent, as it demands a more sophisticated attack approach than common vulnerabilities. Nonetheless, if exploited, the vulnerability can lead to significant memory exhaustion and increased server processing time, impacting the overall performance and availability of the affected system.
CVSS v3: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | automation-controller-0:4.5.8-1.el8ap | RHSA-2024:4522 | 2024-07-12T00:00:00Z |
| Red Hat Ansible Automation Platform 2.4 for RHEL 9 | automation-controller-0:4.5.8-1.el9ap | RHSA-2024:4522 | 2024-07-12T00:00:00Z |
| Red Hat Enterprise Linux 8 | idm:client-8100020240417004735.143e9e98 | RHSA-2024:3267 | 2024-05-22T00:00:00Z |
| Red Hat Enterprise Linux 8 | idm:DL1-8100020240416171943.823393f5 | RHSA-2024:3267 | 2024-05-22T00:00:00Z |
| Red Hat Enterprise Linux 9 | python-jwcrypto-0:0.8-5.el9_4 | RHSA-2024:2559 | 2024-04-30T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | python-jwcrypto | Out of support scope |
Apply commands
yum update -y automation-controller
# or:
dnf upgrade -y automation-controllerOS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.5.6-1 |
| sid | Fixed | 1.5.6-1 |
| forky | Fixed | 1.5.6-1 |
| bullseye | Fixed | 0.8.0-1+deb11u1 |
| bookworm | Fixed | 1.1.0-1+deb12u1 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Rocky Linux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
| 8 | Fixed | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | jwcrypto | <1.5.6 | 1.5.6 |
References
- https://access.redhat.com/errata/RHSA-2024:2559
- https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
- https://nvd.nist.gov/vuln/detail/CVE-2024-28102
- https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
- https://github.com/latchset/jwcrypto
- https://lists.debian.org/debian-lts-announce/2024/09/msg00026.html
- https://www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103
- https://errata.rockylinux.org/RLSA-2024:3267
- https://www.suse.com/security/cve/CVE-2024-28102.html
- https://errata.rockylinux.org/RLSA-2024:2559
- https://security-tracker.debian.org/tracker/CVE-2024-28102
- https://bugzilla.redhat.com/2268758
- https://errata.almalinux.org/9/ALSA-2024-2559.html
- https://access.redhat.com/errata/RHSA-2024:3267
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.