GHSA-jr22-8qgm-4q87

Source

https://github.com/advisories/GHSA-jr22-8qgm-4q87

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-jr22-8qgm-4q87/GHSA-jr22-8qgm-4q87.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jr22-8qgm-4q87

Aliases

CVE-2024-27355

Published

2024-03-02T00:31:33Z

Modified

2024-08-13T18:30:48.616822Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

phpseclib does not properly limit the ASN1 OID length

Details

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).

Database specific

{
    "nvd_published_at": "2024-03-01T23:15:08Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-04T20:42:19Z"
}

References

Affected packages

Packagist / phpseclib/phpseclib

Package

Name: phpseclib/phpseclib
Purl: pkg:composer/phpseclib/phpseclib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.36

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18

3.0.19

3.0.20

3.0.21

3.0.22

3.0.23

3.0.33

3.0.34

3.0.35

Packagist / phpseclib/phpseclib

Package

Name: phpseclib/phpseclib
Purl: pkg:composer/phpseclib/phpseclib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.47

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.0.28

2.0.29

2.0.30

2.0.31

2.0.32

2.0.33

2.0.34

2.0.35

2.0.36

2.0.37

2.0.38

2.0.39

2.0.40

2.0.41

2.0.42

2.0.43

2.0.44

2.0.45

2.0.46

Packagist / phpseclib/phpseclib

Package

Name: phpseclib/phpseclib
Purl: pkg:composer/phpseclib/phpseclib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.23

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.0.22