CVE-2024-28180

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-28180

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

P

ackage jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

References
Link Resource
https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 Patch
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a Patch
https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 Patch
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g Vendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/ Mailing List Third Party Advisory
https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 Patch
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a Patch
https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 Patch
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g Vendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/ Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:go-jose_project:go-jose:*:*:*:*:*:*:*:*
cpe:2.3:a:go-jose_project:go-jose:*:*:*:*:*:*:*:*
cpe:2.3:a:go-jose_project:go-jose:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:*:*:*:*:*:*:*:*
History

03 Dec 2025, 20:29

Type Values Removed Values Added
References () https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 - () https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 - Patch
References () https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a - () https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a - Patch
References () https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 - () https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 - Patch
References () https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g - () https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g - Vendor Advisory
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/ - Mailing List, Third Party Advisory
CPE cpe:2.3:o:fedoraproject:fedora:*:*:*:*:*:*:*:*
cpe:2.3:a:go-jose_project:go-jose:*:*:*:*:*:*:*:*
First Time Fedoraproject fedora
Go-jose Project go-jose
Fedoraproject
Go-jose Project

13 Feb 2025, 18:17

Type Values Removed Values Added
Summary (en) Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3. (en) Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

21 Nov 2024, 09:05

Type Values Removed Values Added
References () https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 - () https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298 -
References () https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a - () https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a -
References () https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 - () https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502 -
References () https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g - () https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g -
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/ -
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/ -
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/ -
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/ -
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/ -
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/ -
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/ -
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/ -
References () https://lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/ - () https://lists.fedoraproject.org/archives/list/[email protected]/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/ -

12 Jun 2024, 02:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/[email protected]/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/ -
Information

Published : 2024-03-09 01:15

Updated : 2025-12-03 20:29

NVD link : CVE-2024-28180

Mitre link : CVE-2024-28180

CVE.ORG link : CVE-2024-28180

JSON object : View

Products Affected

fedoraproject

go-jose_project

CWE
CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)