CVE-2024-29370

NameCVE-2024-29370
DescriptionIn python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-jose (PTS)bookworm3.3.0+dfsg-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-josesource(unstable)(unfixed)

Notes

https://github.com/mpdavis/python-jose/issues/344
https://github.com/mpdavis/python-jose/pull/352
Fixed by: https://github.com/mpdavis/python-jose/commit/8e1f521a7588dd6bfe553c3d3f320ab7a55bba36 (3.4.0)
Search for package or bug name: Reporting problems