Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-75q2-4q5c-fqf8

Summary

Duplicate Advisory: Microsoft Identity Denial of service vulnerability
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-59j7-ghrg-fj52. This link is maintained to preserve external references.

### Original Description

### Impact
An attacker could exploit this vulnerability by crafting a malicious JSON Web Encryption (JWE) token with a high compression ratio. This token, when processed by a server, leads to excessive memory allocation and processing time during decompression, causing a denial-of-service (DoS) condition.

It's important to note that the attacker must have access to the public encrypt key registered with the IDP(Entra ID) for successful exploitation.

_According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?_
A scope change (S:C) in the CVSS metric indicates that successful exploitation of this vulnerability could extend beyond the immediate processing of malicious tokens, affecting the overall availability of the system by causing a denial-of-service (DoS) condition.

### Patches
The vulnerability has been fixed. Users should update **all** their Microsoft.IdentityModel versions to 7.1.2 (for 7x) or higher, 6.34.0 (for 6x) or higher, and 5.7.0 (for 5x).

### Workarounds
No, users must upgrade.

### References
https://aka.ms/IdentityModel/Jan2024/zip

Aliases

alias	GHSA-8g9c-28fc-mcx2

Fixed_packages

url	pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@5.7.0
purl	pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@5.7.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@5.7.0

url	pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@6.34.0
purl	pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@6.34.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@6.34.0

url	pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@7.1.2
purl	pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@7.1.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@7.1.2

Affected_packages

url pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@6.5.0

purl pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@6.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-34zm-8prm-abhs

vulnerability	VCID-75q2-4q5c-fqf8

resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@6.5.0

url pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@7.0.0-preview

purl pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@7.0.0-preview

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-34zm-8prm-abhs

vulnerability	VCID-75q2-4q5c-fqf8

resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@7.0.0-preview

url pkg:nuget/System.IdentityModel.Tokens.Jwt@6.5.0

purl pkg:nuget/System.IdentityModel.Tokens.Jwt@6.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-34zm-8prm-abhs

vulnerability	VCID-75q2-4q5c-fqf8

resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/System.IdentityModel.Tokens.Jwt@6.5.0

url pkg:nuget/System.IdentityModel.Tokens.Jwt@7.0.0-preview

purl pkg:nuget/System.IdentityModel.Tokens.Jwt@7.0.0-preview

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-34zm-8prm-abhs

vulnerability	VCID-75q2-4q5c-fqf8

resource_url http://public2.vulnerablecode.io/packages/pkg:nuget/System.IdentityModel.Tokens.Jwt@7.0.0-preview

References

reference_url

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet

reference_url

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/5.7.0

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/5.7.0

reference_url

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/6.34.0

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/6.34.0

reference_url

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/7.1.2

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/7.1.2

reference_url

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-8g9c-28fc-mcx2

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-8g9c-28fc-mcx2

reference_url

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21319

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21319

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-21319

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-21319

reference_url

https://github.com/advisories/GHSA-8g9c-28fc-mcx2

reference_id

GHSA-8g9c-28fc-mcx2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8g9c-28fc-mcx2

Weaknesses

cwe_id	20
name	Improper Input Validation
description	The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Exploits

Severity_range_score 4.0 - 6.9

Exploitability 0.5

Weighted_severity 6.2

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-75q2-4q5c-fqf8

Vulnerability Instance