P3ngu1nW/CVE_Request

Releases0

Stars2

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2023-50967 ↗	Mar 20, 2024Wednesday, 20 March 2024, 16:15	7.5 HIGH	—
latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
CVE-2023-50966 ↗	Mar 19, 2024Tuesday, 19 March 2024, 15:15	5.3 MEDIUM	—
erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value in a JOSE header.
CVE-2023-51774 ↗	Feb 29, 2024Thursday, 29 February 2024, 01:42	8.4 HIGH	—
The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode.
CVE-2024-25190 ↗	Feb 8, 2024Thursday, 8 February 2024, 17:15	9.8 CRITICAL	—
l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.
CVE-2024-25191 ↗	Feb 8, 2024Thursday, 8 February 2024, 17:15	9.8 CRITICAL	—
php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.
CVE-2024-25189 ↗	Feb 8, 2024Thursday, 8 February 2024, 17:15	9.8 CRITICAL	—
libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel.