go-jose.v2 Vulnerability #761
Comments
michaelquigley
changed the title
|
Indirect dependecy from |
michaelquigley
added a commit
that referenced
this issue
Oct 3, 2024
Merged
michaelquigley
added a commit
that referenced
this issue
Oct 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am using zrok as part of the einarCLI Installation, and Dependabot has alerted me to a vulnerability related to the following package:
Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)
go mod why -m gopkg.in/square/go-jose.v2
go: downloading go.einride.tech/aip v0.68.0 # gopkg.in/square/go-jose.v2 archetype/app/shared/infrastructure/zrok github.com/openziti/zrok/sdk/golang/sdk github.com/openziti/sdk-golang/ziti github.com/openziti/sdk-golang/edge-apis github.com/zitadel/oidc/v2/pkg/client/rp gopkg.in/square/go-jose.v2Impact
An attacker could send a JWE containing compressed data, which would use large amounts of memory and CPU when decompressed by the Decrypt or DecryptMulti functions. These functions now return an error if the decompressed data exceeds 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting this issue.
Patches
The problem has been fixed in the following packages and versions:
github.com/go-jose/go-jose/v4 version 4.0.1
github.com/go-jose/go-jose/v3 version 3.0.3
gopkg.in/go-jose/go-jose.v2 version 2.6.3
Note: The issue will not be fixed in the gopkg.in/square/go-jose.v2 package as it has been archived.
The text was updated successfully, but these errors were encountered: