CVE-2023-52428¶
WSO2 Products impacted: no
Customers actions required: no
REPORTED VULNERABILITY¶
An attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component
REPORTED PRODUCTS¶
- WSO2 Identity Server : 5.9.0, 5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0, 7.1.0
WSO2 JUSTIFICATION¶
In Nimbus JOSE JWT version 9.37.2 and onwards, this vulnerability has been fixed. However, there are backward-incompatible changes between Nimbus JOSE JWT versions 7.x.x and 9.x.x, which necessitate implementation changes. Due to these concerns, we are publishing this CVE justification with a detailed analysis of the CVE, outlining how associated risks are mitigated in WSO2 products and the actions WSO2 is taking in response to the CVE.
It's important to note that the specific component that could be exploited, PasswordBasedDecrypter, is not utilized within WSO2 Identity Server products for decryption. The lack of reliance on this vulnerable component within our product effectively mitigates any associated risk.
However, we are actively working on the necessary mitigation steps and will update the Nimbus JOSE JWT version to a non-vulnerable version.