Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk High flyway] - High Allocation of Resources Without Limits or Throttling(Due 03/22/2024) #5731

Closed
1 task
fec-jli opened this issue Feb 21, 2024 · 0 comments
Closed
1 task

[Snyk High flyway] - High Allocation of Resources Without Limits or Throttling(Due 03/22/2024) #5731

fec-jli opened this issue Feb 21, 2024 · 0 comments
Assignees
@cnlucas
Labels
Pipeline: Assigned Security: high Remediate within 30 days Work: Back-end
Milestone
24.3

Comments

@fec-jli
Copy link
Contributor

fec-jli commented Feb 21, 2024

https://app.snyk.io/org/fecgov/project/e6c155e9-f0ac-4a49-98fa-83c24f5b74b3#issue-SNYK-JAVA-COMNIMBUSDS-6247633

Introduced through
org.flywaydb:[email protected]
Fixed in
com.nimbusds:[email protected]
Exploit maturity
NO KNOWN EXPLOIT
Show less detail
Detailed paths
Introduced through: unknown:[email protected] › org.flywaydb:[email protected] › com.microsoft.azure:[email protected] › com.nimbusds:[email protected] › com.nimbusds:[email protected]
Security information
Factors contributing to the scoring:
Snyk: CVSS 7.5 - High Severity

NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
com.nimbusds:nimbus-jose-jwt is a library for JSON Web Tokens (JWT)

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a large JWE p2c header value (AKA iteration count) for the PasswordBasedDecrypter (PBKDF2) class. An attacker can cause resource consumption by specifying an excessively large iteration count.

Completion criteria:

  • Not available. NVD has not yet published its analysis.
@fec-jli fec-jli added Work: Back-end Security: high Remediate within 30 days labels Feb 21, 2024
@fec-jli fec-jli added this to the Sprint 24.3 milestone Feb 21, 2024
@fec-jli fec-jli mentioned this issue Feb 21, 2024
Closed
3 tasks
@patphongs patphongs moved this to Sprint backlog in Website project Feb 23, 2024
@cnlucas cnlucas self-assigned this Feb 27, 2024
@cnlucas cnlucas moved this from Sprint backlog to Assigned in Website project Feb 27, 2024
@cnlucas cnlucas mentioned this issue Feb 28, 2024
Merged
This was referenced Feb 29, 2024
Closed
Closed
@github-project-automation github-project-automation bot moved this from 📥 Assigned to ✅ Done in Website project Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnlucas cnlucas

Labels
Pipeline: Assigned Security: high Remediate within 30 days Work: Back-end
Projects
Website project
Status: ✅ Done
Milestone
24.3
Development

No branches or pull requests
4 participants
@johnnyporkchops @patphongs @fec-jli @cnlucas