JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.
Weakness
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jwcrypto | Latchset | * | 1.5.7 (excluding) |
| Red Hat Ansible Automation Platform 2.5 for RHEL 8 | RedHat | python3.12-jwcrypto-0:1.5.7-1.el8ap | * |
| Red Hat Ansible Automation Platform 2.5 for RHEL 9 | RedHat | python3.12-jwcrypto-0:1.5.7-1.el9ap | * |
| Red Hat Ansible Automation Platform 2.6 for RHEL 9 | RedHat | python3.12-jwcrypto-0:1.5.7-1.el9ap | * |
| Red Hat Enterprise Linux 10 | RedHat | python-jwcrypto-0:1.5.6-5.el10_2 | * |
| Red Hat Enterprise Linux 9 | RedHat | python-jwcrypto-0:1.5.6-3.el9_8 | * |
| Python-jwcrypto | Ubuntu | esm-apps/xenial | * |