Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2023-50967: n/a

0
High
VulnerabilityCVE-2023-50967cvecve-2023-50967
Published: Wed Mar 20 2024 (03/20/2024, 00:00:00 UTC)
Source: CVE Database V5

Description

latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

AI-Powered Analysis

AILast updated: 11/11/2025, 18:27:59 UTC

Technical Analysis

CVE-2023-50967 identifies a denial of service (DoS) vulnerability in the latchset jose cryptographic library, affecting versions through 11. The vulnerability stems from the handling of the PBES2 Count (p2c) parameter, which is part of the password-based encryption scheme 2 (PBES2) used in JSON Object Signing and Encryption (JOSE) standards. Specifically, an attacker can supply an excessively large p2c value, which controls the iteration count for key derivation functions. This large value causes the library to perform an excessive number of CPU-intensive operations, leading to resource exhaustion and denial of service. The CVSS v3.1 score is 7.5 (high), reflecting that the attack can be launched remotely (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts availability (A:H) without affecting confidentiality or integrity. The vulnerability is categorized under CWE-400 (Uncontrolled Resource Consumption). No patches or exploits are currently publicly available, but the risk remains significant due to the potential for service disruption in applications relying on this library for cryptographic functions.

Potential Impact

For European organizations, the primary impact is on availability, as successful exploitation can cause denial of service through CPU exhaustion. This can disrupt critical services that depend on latchset jose for encryption or signing operations, potentially affecting secure communications, authentication mechanisms, or data protection workflows. Industries such as finance, healthcare, and government, which rely heavily on cryptographic libraries for secure data handling, may experience service outages or degraded performance. The lack of impact on confidentiality and integrity limits the risk of data breaches, but operational disruptions could lead to financial losses, reputational damage, and regulatory scrutiny under frameworks like GDPR if service availability is compromised. Organizations with high transaction volumes or real-time processing requirements are particularly vulnerable to performance degradation caused by this vulnerability.

Mitigation Recommendations

Immediate mitigation involves implementing input validation to restrict the maximum allowable p2c value to a safe threshold, preventing excessive CPU consumption. Organizations should monitor usage patterns for unusually high iteration counts in PBES2 operations and apply rate limiting or anomaly detection to mitigate potential abuse. Since no official patch is currently available, consider isolating or sandboxing components using latchset jose to limit the impact of potential DoS attacks. Engage with the library maintainers to track patch releases and plan timely updates once available. Additionally, review cryptographic usage policies to ensure that password-based encryption parameters are configured securely and do not allow untrusted input to control iteration counts. Incorporating these measures into secure development and deployment practices will reduce exposure until a formal fix is released.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.2
Assigner Short Name
mitre
Date Reserved
2023-12-17T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 690a3b5fff58c9332ff09317

Added to database: 11/4/2025, 5:43:59 PM

Last enriched: 11/11/2025, 6:27:59 PM

Last updated: 12/18/2025, 12:02:23 AM

Views: 12

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats