CVE-2023-49290

Description

The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource-intensive. However, if an attacker sets the p2c parameter in JWE to a very large number, it can cause excessive computational consumption.

How to fix CVE-2023-49290

To remediate CVE-2023-49290, upgrade the affected package to a fixed version below.

• —upgrade to 1.2.27 or later
• —upgrade to 1.2.27 or later
• —upgrade to 2.0.18 or later
• —upgrade to 2.0.18 or later

Is CVE-2023-49290 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 1.2.27
• from 0, < 1.2.27
• from 0, < 2.0.18
• from 0, < 2.0.18

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-49290
• PATCHgithub.com/lestrrat-go/jwx
• WEBgithub.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c
• WEBgithub.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf