CVE-2023-50967 Affecting jose package, versions <0:14-1.el9
Threat Intelligence
EPSS
0.05% (17th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALMALINUX9-JOSE-8383445
- published 18 Nov 2024
- disclosed 12 Nov 2024
How to fix?
Upgrade AlmaLinux:9 jose to version 0:14-1.el9 or higher.
This issue was patched in ALSA-2024:9181.
NVD Description
Note: Versions mentioned in the description apply only to the upstream jose package and not the jose package as distributed by AlmaLinux.
See How to fix? for AlmaLinux:9 relevant fixed versions and status.
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
References
- https://errata.almalinux.org/8/ALSA-2024-5294.html
- https://errata.almalinux.org/9/ALSA-2024-9181.html
- https://access.redhat.com/security/cve/CVE-2023-50967
- https://access.redhat.com/errata/RHSA-2024:5294
- https://access.redhat.com/errata/RHSA-2024:9181
- https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md
- https://github.com/latchset/jose
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CIFPQUCLNWEAHYYJWCQD3AZPWYIV6YT3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OOBFVMOAV732C7PY74AHJ62ZNKT3ISZ6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EGLOAFN2PWZ75ZRLTUDUZCIPH2VFZU/
CVSS Scores
version 3.1