search

zitadel / zitadel-go

ZITADEL Go - The official client library of ZITADEL for an easy integration into your Go project.
https://zitadel.com
Apache License 2.0
73 stars 29 forks source link

fix(deps): update go-jose to version 4.0.2 to fix vulnerability #344

Closed panapol-p closed 5 months ago

panapol-p commented 5 months ago

GO-2024-2631: Decompression bomb vulnerability in github.com/go-jose/go-jose

Cxb6dee8d5-b814, Score: 7.5

The go-jose package is subject to a "billion hashes attack" causing Denial-of-Service (DOS) in versions prior to 3.0.1 when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a Denial-of-Service (DOS).

Read More: https://devhub.checkmarx.com/cve-details/Cxb6dee8d5-b814?utm_source=jetbrains&utm_medium=referral

panapol-p commented 5 months ago

waiting for next release ref : https://github.com/zitadel/zitadel-go/pull/345#pullrequestreview-2122138419