CVE-2023-6681
MEDIUM5.3EPSS 0.03%DoS with algorithms that use PBKDF2 due to unbounded PBES2 Count value
Published: 12/28/2023Modified: 4/28/2026
Description
A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.
Affected packages (3)
- Debian/python-jwcryptofrom 0
- PyPI/jwcryptofrom 0, < 1.5.1
- PyPI/jwcryptofrom 0, < 1.5.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-6681
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-6681
- PATCHhttps://github.com/latchset/jwcrypto
- WEBhttps://access.redhat.com/errata/RHSA-2024:3267
- WEBhttps://access.redhat.com/errata/RHSA-2024:9281
- WEBhttps://access.redhat.com/security/cve/CVE-2023-6681
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2260843
- WEBhttps://github.com/latchset/jwcrypto/commit/d2655d370586cb830e49acfb450f87598da60be8
- WEBhttps://github.com/latchset/jwcrypto/security/advisories/GHSA-cw2r-4p82-qv79
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/jwcrypto/PYSEC-2024-104.yaml