[GHSA-3prj-6hqw-cm82] PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service#8629
Conversation
|
Hi there @Spomky! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
Note for reviewers: #8096 (opened earlier by @hostep) addresses the same issue on this advisory. This PR differs in two points: the 4.0.x range here is |
Updates
Comments
The
web-token/jwt-frameworkentry listed<= 4.1.6as affected with no patched version, while theweb-token/jwt-libraryentries in this same advisory correctly list 3.4.10, 4.0.7 and 4.1.7 as patched.web-token/jwt-frameworkis the pre-split package (and, in 4.x, a meta-package that pins the correspondingweb-token/jwt-libraryversion), so the same version ranges and patched versions apply to both package names.I verified the fix is present in jwt-framework 3.4.10 by diffing
src/Library/Encryption/Algorithm/KeyEncryption/PBES2AESKW.phpbetween tags 3.4.9 and 3.4.10: 3.4.10 introducesDEFAULT_MAX_COUNT = 1_000_000and enforces it incheckHeaderAdditionalParameters(), which is the mitigation described in this advisory (unboundedp2cPBKDF2 iteration count).This change mirrors the existing
web-token/jwt-libraryranges ontoweb-token/jwt-framework:< 3.4.10→ patched3.4.10>= 4.0.0, < 4.0.7→ patched4.0.7>= 4.1.0, < 4.1.7→ patched4.1.7Impact of the current metadata: the open-ended
<= 4.1.6range with no patched version causes false positives in Dependabot and dependency-review-action for projects correctly resolved to patched 3.4.x versions — e.g. Magento / Adobe Commerce 2.4.8, which resolvesweb-token/jwt-frameworkto 3.4.10 via the^3.4constraint frommagento/product-enterprise-editionand cannot reach 4.x without a platform upgrade.