漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
JWCrypto: JWE ZIP decompression bomb
Vulnerability Description
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Vulnerability Type
对高度压缩数据的处理不恰当(数据放大攻击)
Vulnerability Title
JWCrypto 安全漏洞
Vulnerability Description
JWCrypto是JWCrypto开源的一个 Javascript 对象签名和加密 (JOSE) Web 标准的实现。 JWCrypto 1.5.7之前版本存在安全漏洞,该漏洞源于对解压缩输出大小验证不足,可能导致未经身份验证的攻击者耗尽服务器内存。
CVSS Information
N/A
Vulnerability Type
N/A