CVE-2024-33664: python-jose denial of service via compressed JWE content
(updated )
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a “JWT bomb.” This is similar to CVE-2024-21319.
References
- github.com/advisories/GHSA-cjwg-qfpm-7377
- github.com/mpdavis/python-jose
- github.com/mpdavis/python-jose/issues/344
- github.com/mpdavis/python-jose/pull/345
- github.com/mpdavis/python-jose/releases/tag/3.4.0
- github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2024-233.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-33664
- www.vicarius.io/vsociety/posts/jwt-bomb-in-python-jose-cve-2024-33664
Detect and mitigate CVE-2024-33664 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →