[GHSA-3prj-6hqw-cm82] PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service#8096
Conversation
|
Hi there @Spomky! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
Bot
changed the base branch from
main
to
hostep/advisory-improvement-8096
| "introduced": "4.0.0" | ||
| }, | ||
| { | ||
| "fixed": "4.1.7" |
There was a problem hiding this comment.
This should probably be "4.0.7", Similar to how it looks in https://github.com/github/advisory-database/pull/8095/changes
And I don't know what that last_known_affected_version_range means underneath.
I think I put that in the "Suggest improvements for this vulnerability" form correctly, but maybe I messed up, so whoever reviews this, maybe double check.
2 participants
Updates
Comments
The affected and patched versions for
web-token/jwt-frameworkwere incorrect, the ones forweb-token/jwt-librarywere correct.See: https://github.com/web-token/jwt-framework/releases