Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Search CVE reports


Toggle filters

1 – 10 of 14 results


CVE-2024-33664

Medium priority
Needs evaluation

python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to...

1 affected packages

python-jose

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
python-jose Needs evaluation Needs evaluation Not in release
Show less packages

CVE-2024-33663

Medium priority
Needs evaluation

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

1 affected packages

python-jose

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
python-jose Needs evaluation Needs evaluation Not in release
Show less packages

CVE-2023-50967

Medium priority
Needs evaluation

latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

1 affected packages

jose

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
jose Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2023-50966

Medium priority
Needs evaluation

erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value in a JOSE header.

1 affected packages

erlang-jose

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
erlang-jose Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2024-28180

Medium priority
Needs evaluation

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed...

1 affected packages

golang-github-go-jose-go-jose

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
golang-github-go-jose-go-jose Needs evaluation Not in release Not in release
Show less packages

CVE-2024-28176

Medium priority
Needs evaluation

jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more....

1 affected packages

node-jose

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
node-jose Needs evaluation Needs evaluation Not in release
Show less packages

CVE-2023-51775

Medium priority
Needs evaluation

The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

1 affected packages

libjose4j-java

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
libjose4j-java Needs evaluation Needs evaluation Not in release Ignored Ignored
Show less packages

CVE-2023-50658

Medium priority
Needs evaluation

The jose2go component before 1.6.0 for Go allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

1 affected packages

golang-github-dvsekhvalnov-jose2go

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
golang-github-dvsekhvalnov-jose2go Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2023-31582

Medium priority
Needs evaluation

jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less.

1 affected packages

libjose4j-java

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
libjose4j-java Needs evaluation Needs evaluation Not in release Ignored Ignored
Show less packages

CVE-2023-37464

Medium priority

Some fixes available 4 of 8

OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says...

1 affected packages

cjose

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
cjose Needs evaluation Fixed Fixed Fixed Ignored
Show less packages