{"id":"CVE-2023-52428","details":"In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.","aliases":["GHSA-gvpg-vgmx-xg6w"],"modified":"2026-04-10T05:07:02.694559Z","published":"2024-02-11T05:15:08.383Z","related":["CGA-q8f4-hf48-hq6g"],"references":[{"type":"WEB","url":"https://connect2id.com/products/nimbus-jose-jwt"},{"type":"REPORT","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/"},{"type":"FIX","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://bitbucket.org/connect2id/nimbus-jose-jwt","events":[{"introduced":"0"},{"fixed":"e283ea02909e00645a622f16977659f8a7ba5b00"},{"fixed":"3b3b77e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"9.37.2"}]}}],"versions":["2.0","2.0.1","2.1","2.1.1","2.10","2.10.1","2.11.0","2.12.0","2.13.0","2.13.1","2.14.0","2.15.0","2.15.1","2.15.2","2.16","2.17","2.17.1","2.17.2","2.18","2.18.1","2.18.2","2.19","2.19.1","2.2","2.20","2.21","2.22","2.22.1","2.23","2.24","2.25","2.26","2.26.1","2.3","2.4","2.5","2.6","2.7","2.8","2.9","3.0","3.1","3.1.1","3.1.2","3.10","3.2","3.2.1","3.2.2","3.3","3.4","3.5","3.6","3.7","3.8","3.8.1","3.8.2","3.9","3.9.1","3.9.2","4.0","4.0-rc1","4.0-rc2","4.0-rc3","4.0-rc4","4.0.1","4.1","4.1.1","4.10","4.11","4.11.1","4.11.2","4.12","4.13.1","4.14","4.15","4.15.1","4.16","4.16.1","4.16.2","4.17","4.18","4.19","4.2","4.20","4.21","4.22","4.23","4.24","4.25","4.26","4.26.1","4.27","4.27.1","4.28","4.29","4.3","4.3.1","4.30","4.31.1","4.32","4.33","4.34","4.34.1","4.34.2","4.35","4.36","4.37","4.37.1","4.38","4.39","4.39.1","4.39.2","4.4","4.40","4.41","4.41.1","4.41.2","4.5","4.6","4.7","4.8","4.9","5.0","5.1","5.10","5.11","5.12","5.13","5.14","5.2","5.3","5.4","5.5","5.6","5.7","5.8","5.9","6.0","6.0.1","6.0.2","6.1","6.1.1","6.2","6.3","6.3.1","6.4","6.4.1","6.4.2","6.5","6.5.1","6.6","6.7","6.8","7.0","7.0.1","7.1","7.2.1","7.3","7.3.1","7.4","7.5","7.5.1","7.6","7.7","7.8","7.9","8.0","8.1","8.10","8.11","8.12","8.13","8.14","8.14.1","8.15","8.16","8.17","8.17.1","8.18","8.18.1","8.19","8.2","8.2.1","8.20","8.3","8.4","8.4.1","8.5","8.5.1","8.6","8.7","8.8","8.9","9.0","9.0.1","9.1","9.1.1","9.1.2","9.1.3","9.1.4","9.1.5","9.10","9.10.1","9.11","9.11.1","9.11.2","9.11.3","9.12","9.12.1","9.13","9.14","9.15","9.15.1","9.15.2","9.16","9.16-preview.1","9.16.1","9.18","9.19","9.2","9.20","9.21","9.21.1","9.22","9.23","9.24","9.24.1","9.24.2","9.24.3","9.24.4","9.25","9.25.1","9.25.2","9.25.3","9.25.4","9.25.5","9.25.6","9.26","9.27","9.28","9.29","9.3","9.30","9.30.1","9.30.2","9.31","9.32","9.33","9.34","9.35","9.36","9.37","9.37.1","9.4","9.4.1","9.4.2","9.5","9.6","9.6.1","9.7","9.8","9.8.1","9.9","9.9.1","9.9.2","9.9.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52428.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}