MEDIUM🇬🇧 English

CVE-2026-39373

CVSS 5.3v3.1pub. 2026-04-07upd. 2026-04-15

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • Latchset Jwcrypto

    APP
    Latchset
    < 1.5.7
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Auth Bypass
CWE
Referencje

Powiązane podatności

CVE-2024-28102MEDIUM6.8ten sam produkt

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an att...

CVE-2023-6681MEDIUM5.3ten sam produkt

A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack ...

CVE-2016-6298MEDIUM5.3ten sam produkt

The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random F...

CVE-2023-50967HIGH7.5ten sam vendor

latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p...

CVE-2023-6258HIGH8.1ten sam vendor

A security vulnerability has been identified in the pkcs11-provider, which is associated with Public-Key Crypt...