{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T07:52:08.729","vulnerabilities":[{"cve":{"id":"CVE-2023-49290","sourceIdentifier":"security-advisories@github.com","published":"2023-12-05T00:15:09.190","lastModified":"2024-11-21T08:33:11.897","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource- intensive. Therefore, if an attacker sets the p2c parameter in JWE to a very large number, it can cause a lot of computational consumption, resulting in a denial of service. This vulnerability has been addressed in commit `64f2a229b` which has been included in release version 1.2.27 and 2.0.18. Users are advised to upgrade. There are no known workarounds for this vulnerability."},{"lang":"es","value":"lestrrat-go/jwx es un módulo Go que implementa varias tecnologías JWx (JWA/JWE/JWK/JWS/JWT, también conocidas como JOSE). Un parámetro p2c establecido demasiado alto en el algoritmo PBES2-* de JWE podría provocar una denegación de servicio. Los algoritmos de gestión de claves JWE basados en PBKDF2 requieren un parámetro de encabezado JOSE llamado p2c (PBES2 Count). Este parámetro dicta el número de iteraciones de PBKDF2 necesarias para derivar una clave de envoltura CEK. Su objetivo principal es ralentizar intencionalmente la función de derivación de claves, haciendo que los ataques de fuerza bruta a contraseñas y de diccionario requieran más recursos. Por lo tanto, si un atacante establece el parámetro p2c en JWE en un número muy grande, puede provocar un gran consumo computacional, lo que resultará en una denegación de servicio. Esta vulnerabilidad se solucionó en el commit `64f2a229b` que se incluyó en las versiones 1.2.27 y 2.0.18. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-400"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:lestrrat-go:jwx:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.27","matchCriteriaId":"D883F8E3-02A2-4BC4-ADB3-F420624DD720"},{"vulnerable":true,"criteria":"cpe:2.3:a:lestrrat-go:jwx:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.0.18","matchCriteriaId":"566A6052-A735-4FDB-975D-47C594210E70"}]}]}],"references":[{"url":"https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/lestrrat-go/jwx/commit/64f2a229b8e18605f47361d292b526bdc4aee01c","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/lestrrat-go/jwx/security/advisories/GHSA-7f9x-gw85-8grf","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Vendor Advisory"]}]}}]}