Vulnerability Report: GO-2023-2379

  • CVE-2023-49290, GHSA-7f9x-gw85-8grf
  • Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
  • Published: Dec 11, 2023
  • Modified: May 20, 2024

The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource-intensive. However, if an attacker sets the p2c parameter in JWE to a very large number, it can cause excessive computational consumption.

For detailed information about this vulnerability, visit https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf.

Affected Packages

Aliases

References

Credits

  • @P3ngu1nW

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.