CVE-2024-21664 (High) detected in github.com/lestrrat-go/jwx/v2-v2.0.6 #110
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2024-21664 - High Severity Vulnerability
Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies
Library home page: https://proxy.golang.org/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go/pkg/mod/cache/download/github.com/lestrrat-go/jwx/v2/@v/v2.0.6.mod
Dependency Hierarchy:
Found in base branch: main
jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling
jws.Parsewith a JSON serialized payload where thesignaturefield is present whileprotectedis absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS a system doing JWS verification. This vulnerability has been patched in versions 2.0.19 and 1.2.28.Publish Date: 2024-01-09
URL: CVE-2024-21664
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-pvcr-v8j8-j5q3
Release Date: 2024-01-09
Fix Resolution: v1.2.28, v2.0.19
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: