Summary Connect2id Nimbus-JOSE-JWT is vulnerable to a denial of service, caused by improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. By sending a specially crafted request using a large JWE p2c header, a remote attacker could exploit this vulnerability to cause a denial of service. Following IBM® Engineering Lifecycle Management product is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Lifecycle Optimization – Publishing Vulnerability Details CVEID:CVE-2023-52428 DESCRIPTION: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. CWE:CWE-770: Allocation of Resources Without Limits or Throttling CVSS Source: IBM X-Force CVSS Base score: 7.5 CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM Engineering Lifecycle Optimization – Publishing| 7.0.3 IBM Engineering Lifecycle Optimization – Publishing| 7.0.2 Remediation/Fixes If the Products are deployed on one of the above versions, Please follow the instruction given in the following article. Version(s)| Version(s) —|— IBM Engineering Lifecycle Optimization – Publishing – 7.0.3| iFix016 IBM Engineering Lifecycle Optimization – Publishing – 7.0.2| iFix035 Workarounds and Mitigations…Read More
Security Bulletin: IBM Engineering Lifecycle Optimization – Publishing – In Connect2id Nimbus JOSE+JWT, an attacker can cause a denial of service
