CVE-2024-33664
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-33664
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2024-33664.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | python-jose | <3.4.0 | 3.4.0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-33664
- https://github.com/mpdavis/python-jose/issues/344
- https://github.com/mpdavis/python-jose/pull/345
- https://github.com/mpdavis/python-jose
- https://github.com/mpdavis/python-jose/releases/tag/3.4.0
- https://github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2024-233.yaml
- https://www.vicarius.io/vsociety/posts/jwt-bomb-in-python-jose-cve-2024-33664
- https://www.suse.com/security/cve/CVE-2024-33664.html
- https://security-tracker.debian.org/tracker/CVE-2024-33664
Verify integrity in audit chain (admin only). AS-IS.