CVE-2024-28102

medium

Published 2024-04-30 · Modified 2024-05-07

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CVSS v2

—

VIR risk

5.5

Description

Moderate: python-jwcrypto security update

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2024-2559.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2268758

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-28102

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:2559

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2024-28102.html

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:3267

vendor Authored 2026-05-27

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:2559

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description python-jwcrypto: malicious JWE token can cause denial of service Red Hat statement The CVE-2024-28102 vulnerability in JWCrypto represents a moderate severity issue due to its potential impact on system availability and resource consumption. While the vulnerability allows for a denial of service (DoS) attack, it requires an attacker to craft a malicious JWE Token with a high…

Description

python-jwcrypto: malicious JWE token can cause denial of service

Red Hat statement

The CVE-2024-28102 vulnerability in JWCrypto represents a moderate severity issue due to its potential impact on system availability and resource consumption. While the vulnerability allows for a denial of service (DoS) attack, it requires an attacker to craft a malicious JWE Token with a high compression ratio. This specific condition limits the practical exploitability of the vulnerability to some extent, as it demands a more sophisticated attack approach than common vulnerabilities. Nonetheless, if exploited, the vulnerability can lead to significant memory exhaustion and increased server processing time, impacting the overall performance and availability of the affected system.

CVSS v3: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Ansible Automation Platform 2.4 for RHEL 8	`automation-controller-0:4.5.8-1.el8ap`	RHSA-2024:4522	2024-07-12T00:00:00Z
Red Hat Ansible Automation Platform 2.4 for RHEL 9	`automation-controller-0:4.5.8-1.el9ap`	RHSA-2024:4522	2024-07-12T00:00:00Z
Red Hat Enterprise Linux 8	`idm:client-8100020240417004735.143e9e98`	RHSA-2024:3267	2024-05-22T00:00:00Z
Red Hat Enterprise Linux 8	`idm:DL1-8100020240416171943.823393f5`	RHSA-2024:3267	2024-05-22T00:00:00Z
Red Hat Enterprise Linux 9	`python-jwcrypto-0:0.8-5.el9_4`	RHSA-2024:2559	2024-04-30T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 7	`python-jwcrypto`	Out of support scope

Apply commands

bash fix

Apply RHSA-2024:4522 for Red Hat Ansible Automation Platform 2.4 for RHEL 8

yum update -y automation-controller
# or:
dnf upgrade -y automation-controller

OS impact

OS	Version	Status	Fixed in
rhel	9	fixed
rocky	8	fixed
sles		affected
rocky	9	fixed
debian	bookworm	fixed	`1.1.0-1+deb12u1`
debian	bullseye	fixed	`0.8.0-1+deb11u1`
debian	forky	fixed	`1.5.6-1`
debian	sid	fixed	`1.5.6-1`
debian	trixie	fixed	`1.5.6-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	jwcrypto	`<1.5.6`	`1.5.6`

References

Verify integrity in audit chain (admin only). AS-IS.