CVE-2024-28180 Affecting containers-common package, versions <2:1-81.0.1.module+el8.10.0+90298+77a9814d

Q: How to fix?

<p>Upgrade <code>Oracle:8</code> <code>containers-common</code> to version 2:1-81.0.1.module+el8.10.0+90298+77a9814d or higher.<br>This issue was patched in <code>ELSA-2024-3968</code>.</p>

Threat Intelligence

0.05% (19^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-ORACLE8-CONTAINERSCOMMON-7175013
published 2 Jun 2024
disclosed 9 Mar 2024

Report a new vulnerability Found a mistake?

Introduced: 9 Mar 2024

CVE-2024-28180 Open this link in a new tab

How to fix?

Upgrade Oracle:8 containers-common to version 2:1-81.0.1.module+el8.10.0+90298+77a9814d or higher.
This issue was patched in ELSA-2024-3968.

NVD Description

Note: Versions mentioned in the description apply only to the upstream containers-common package and not the containers-common package as distributed by Oracle. See How to fix? for Oracle:8 relevant fixed versions and status.

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

Low
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

None
Integrity (I)

None
Availability (A)

Low