{"id":"CVE-2022-38493","details":"Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE (JSON Web Encryption) token.","modified":"2026-04-12T01:27:54.569688Z","published":"2022-08-20T20:15:08.613Z","references":[{"type":"FIX","url":"https://github.com/babelouest/rhonabwy/commit/dd528b3aabd13863f855a68e76966e4e019fc399"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/babelouest/rhonabwy","events":[{"introduced":"d439802e37931e1e456be0df29da5bab1056eef3"},{"fixed":"775a8e82719571ab8328a0782bcf40133ec65bfd"},{"fixed":"dd528b3aabd13863f855a68e76966e4e019fc399"}],"database_specific":{"versions":[{"introduced":"0.9.99"},{"fixed":"1.1.6"}]}}],"versions":["v0.9.99","v0.9.999","v0.9.9999","v1.0.0","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.1.4","v1.1.5"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"length":450,"function_hash":"191041741188240626579110676124446667317"},"target":{"file":"src/jwe.c","function":"rsa_oaep_sha1_decrypt"},"source":"https://github.com/babelouest/rhonabwy/commit/dd528b3aabd13863f855a68e76966e4e019fc399","signature_type":"Function","id":"CVE-2022-38493-1b8e20fe","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["231030406526627522593777398537792131423","308881556782095445872402939409484824551","198452387046156747561451974890062069206","339588104428451684387402747213815227530","233173281795487996994913448712152513308","333777022699184682584032986641932898703"]},"target":{"file":"src/jwe.c"},"source":"https://github.com/babelouest/rhonabwy/commit/dd528b3aabd13863f855a68e76966e4e019fc399","signature_type":"Line","id":"CVE-2022-38493-255c9301","deprecated":false},{"signature_version":"v1","digest":{"length":460,"function_hash":"249330863341517819856699152583927362549"},"target":{"file":"src/jwe.c","function":"rsa_oaep_sha256_decrypt"},"source":"https://github.com/babelouest/rhonabwy/commit/dd528b3aabd13863f855a68e76966e4e019fc399","signature_type":"Function","id":"CVE-2022-38493-a002f451","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-38493.json","vanir_signatures_modified":"2026-04-12T01:27:54Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}