Resource Exhaustion Affecting vexctl package, versions <0.2.6-r0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-WOLFILATEST-VEXCTL-6262857
- published 22 Feb 2024
- disclosed 5 Dec 2023
Introduced: 5 Dec 2023
CVE-2023-49290 Open this link in a new tabHow to fix?
Upgrade Wolfi
vexctl
to version 0.2.6-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream vexctl
package and not the vexctl
package as distributed by Wolfi
.
See How to fix?
for Wolfi
relevant fixed versions and status.
lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a denial of service. This vulnerability has been addressed in commit 64f2a229b
which has been included in release version 1.2.27 and 2.0.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.