Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix potential DoS issue with p2c header #336

Merged
merged 1 commit into from
Dec 26, 2023
Merged

Conversation

simo5
Copy link
Member

@simo5 simo5 commented Dec 26, 2023

Unbounded p2c headers may be used to cause an application that accept PBES algorithms to spend alot of resources running PBKDF2 with a very high number of iterations.

Clamp the default maximum to 16384 (double the default of 8192). An application that wants to use more iterations will have to chenge the jwa default max.

Fixes CVE-2023-6681

Unbounded p2c headers may be used to cause an application that accept
PBES algorithms to spend alot of resources running PBKDF2 with a very
high number of iterations.

Clamp the default maximum to 16384 (double the default of 8192).
An application that wants to use more iterations will have to chenge the
jwa default max.

Fixes CVE-2023-6681

Signed-off-by: Simo Sorce <[email protected]>
@simo5 simo5 merged commit d2655d3 into latchset:main Dec 26, 2023
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant