CVE-2024-33664

mpdavis/python-jose

on github

Published

April 26, 2024

Severity

CVSS v3:

N/A

CVSS v2:

N/A

Description

python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

References

https://github.com/mpdavis/python-jose/issues/344
https://github.com/mpdavis/python-jose/pull/345

Configurations

CPE23	Version Start	Version End	Exact Version

External Links

NVD - CVE-2024-33664