github-actions[bot]
commented
5 months ago This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.
Open shikhargiri opened 5 months ago
github-actions[bot]
commented
5 months ago This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.
github-actions[bot]
commented
4 months ago This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.
github-actions[bot]
commented
3 months ago This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.
Describe the bug?
Detailed paths Introduced through: github.com/okta/okta-sdk-golang@v2.20.0 › github.com/go-jose/go-jose@v3.0.1
Security information Factors contributing to the scoring: Snyk: CVSS 7.5 - High Severity
NVD: NVD only publishes analysis of vulnerabilities which are assigned a CVE ID. This vulnerability currently does not have an assigned CVE ID. Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview Affected versions of this package are vulnerable to Denial of Service (DoS) when decrypting JWE inputs. An attacker can cause a denial-of-service by providing a PBES2 encrypted JWE blob with a very large p2c value.
What is expected to happen?
We are considering OKTA to release an stable version with the fix for this findings.
What is the actual behavior?
Overview Affected versions of this package are vulnerable to Denial of Service (DoS) when decrypting JWE inputs. An attacker can cause a denial-of-service by providing a PBES2 encrypted JWE blob with a very large p2c value.
Reproduction Steps?
This vulnerabilities dependency was identified from OKTA library we are using.
Additional Information?
No response
Golang Version
1.21.4
SDK Version
-
OS version
No response