CVE-2024-29370
Duplicate Advisory: python-jose denial of service via compressed JWE content
5.3
MEDIUM
CVSS 3.1
EPSS 0.16%
Description
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
How to fix CVE-2024-29370
To remediate CVE-2024-29370, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 3.4.0 or later
- —no fix listed
Is CVE-2024-29370 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0
- from 0, < 3.4.0
- from 0, <= 3.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |