AZL-43366

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-43366.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-43366

Upstream

CVE-2024-28102

Published

2024-03-21T02:52:23Z

Modified

2026-04-21T04:30:58.697434Z

Summary

CVE-2024-28102 affecting package python-jwcrypto 0.6.0-9

Details

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-28102

Affected packages

Azure Linux:2 / python-jwcrypto

Package

Name: python-jwcrypto
Purl: pkg:rpm/azure-linux/python-jwcrypto

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.6.0-9

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-43366.json"