{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27144", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-19T16:30:47.777Z", "datePublished": "2025-02-24T22:22:22.863Z", "dateUpdated": "2025-02-25T14:27:04.978Z"}, "containers": {"cna": {"title": "Go JOSE's Parsing Vulnerable to Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"}, {"name": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22"}, {"name": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5"}], "affected": [{"vendor": "go-jose", "product": "go-jose", "versions": [{"version": ">= 4.0.0, < 4.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-24T22:22:22.863Z"}, "descriptions": [{"lang": "en", "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters."}], "source": {"advisory": "GHSA-c6gw-w398-hv78", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-25T14:26:42.682392Z", "id": "CVE-2025-27144", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:27:04.978Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27144", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-25T14:26:42.682392Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-25T14:27:00.794Z"}}], "cna": {"title": "Go JOSE's Parsing Vulnerable to Denial of Service", "source": {"advisory": "GHSA-c6gw-w398-hv78", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "go-jose", "product": "go-jose", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.0.5"}]}], "references": [{"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78", "name": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22", "name": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5", "name": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-24T22:22:22.863Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27144", "state": "PUBLISHED", "dateUpdated": "2025-02-25T14:27:04.978Z", "dateReserved": "2025-02-19T16:30:47.777Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-24T22:22:22.863Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters."}], "id": "CVE-2025-27144", "lastModified": "2025-02-24T23:15:11.427", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-24T23:15:11.427", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22"}, {"source": "security-advisories@github.com", "url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.6.4-3", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-collector-slim-rhel8:4.6.4-3", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.6.4-7", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.6.4-7", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.6.4-3", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.6.4-4", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3439", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.6::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.6.4-6", "product_name": "Red Hat Advanced Cluster Security 4.6", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-central-db-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-collector-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-main-rhel8:4.7.1-5", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-operator-bundle:4.7.1-3", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-rhel8-operator:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-roxctl-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-db-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-slim-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8:4.7.1-2", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3438", "cpe": "cpe:/a:redhat:advanced_cluster_security:4.7::el8", "package": "advanced-cluster-security/rhacs-scanner-v4-rhel8:4.7.1-3", "product_name": "Red Hat Advanced Cluster Security 4.7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3335", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "opentelemetry-collector-0:0.107.0-8.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3593", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "opentelemetry-collector-0:0.107.0-7.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:3301", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-aws-pod-identity-webhook-rhel9:v4.16.0-202503170806.p0.g459c531.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:3301", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-azure-workload-identity-webhook-rhel9:v4.16.0-202503210503.p0.ga754496.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:3301", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-cloud-credential-rhel9-operator:v4.16.0-202503191806.p0.gaa7ad99.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:3061", "cpe": "cpe:/a:redhat:openshift:4.17::el8", "package": "podman-5:5.2.2-4.rhaos4.17.el8", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3061", "cpe": "cpe:/a:redhat:openshift:4.17::el8", "package": "skopeo-2:1.16.1-1.rhaos4.17.el8", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-03-27T00:00:00Z"}, {"advisory": "RHSA-2025:3059", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-aws-pod-identity-webhook-rhel9:v4.17.0-202503142136.p0.g80efc4e.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3059", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-azure-workload-identity-webhook-rhel9:v4.17.0-202503181705.p0.g0e19a4f.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3059", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "ose-cloud-credential-operator-container-v4.17.0-202503182004.p0.g3ba961d.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3066", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-aws-pod-identity-webhook-rhel9:v4.18.0-202503130333.p0.gf54f9a1.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3066", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-azure-workload-identity-webhook-rhel9:v4.18.0-202503172004.p0.gd1dc8ab.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3066", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/ose-cloud-credential-rhel9-operator:v4.18.0-202503181802.p0.g7785eb4.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3068", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "podman-5:5.2.2-6.rhaos4.18.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3068", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "skopeo-2:1.16.1-1.rhaos4.18.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-25T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/cluster-logging-operator-bundle:v6.0.6-8", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/cluster-logging-rhel9-operator:v6.0.6-4", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/eventrouter-rhel9:v0.4.0-357", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-338", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/logging-loki-rhel9:v3.4.2-7", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/loki-operator-bundle:v6.0.6-10", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/loki-rhel9-operator:v6.0.6-6", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/lokistack-gateway-rhel9:v0.1.0-753", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/opa-openshift-rhel9:v0.1.0-370", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3132", "cpe": "cpe:/a:redhat:logging:6.0::el9", "package": "openshift-logging/vector-rhel9:v0.37.1-35", "product_name": "RHOL-6.0-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/cluster-logging-operator-bundle:v6.1.4-10", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/cluster-logging-rhel9-operator:v6.1.4-5", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/eventrouter-rhel9:v0.4.0-356", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/log-file-metric-exporter-rhel9:v1.1.0-337", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/logging-loki-rhel9:v3.4.2-6", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/loki-operator-bundle:v6.1.4-13", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/loki-rhel9-operator:v6.1.4-7", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/lokistack-gateway-rhel9:v0.1.0-752", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/opa-openshift-rhel9:v0.1.0-369", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3131", "cpe": "cpe:/a:redhat:logging:6.1::el9", "package": "openshift-logging/vector-rhel9:v0.37.1-34", "product_name": "RHOL-6.1-RHEL-9", "release_date": "2025-03-26T00:00:00Z"}, {"advisory": "RHSA-2025:3501", "cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2.15::el9", "package": "registry.redhat.io/custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9:sha256:a5b5570c4c0c54d6d8833ea5985e849f0cf79913c6c049378767e11ef7eb6303", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift 2.15", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3743", "cpe": "cpe:/a:redhat:openshift_distributed_tracing:3.5::el8", "package": "registry.redhat.io/rhosdt/opentelemetry-collector-rhel8:sha256:360b97d5055aba77fb7cc5c029e910be7e7eb10672df530eca2c91346da2f2b0", "product_name": "Red Hat OpenShift distributed tracing 3.5.1", "release_date": "2025-04-09T00:00:00Z"}, {"advisory": "RHSA-2025:3820", "cpe": "cpe:/a:redhat:trusted_artifact_signer:1.1::el9", "package": "registry.redhat.io/rhtas/cosign-rhel9:sha256:2a2aa8c1a224419be83afe46b0226e168927c19c8bd3f9c4e562e5e5caebb6a9", "product_name": "Red Hat Trusted Artifact Signer 1.1", "release_date": "2025-04-10T00:00:00Z"}, {"advisory": "RHSA-2025:3820", "cpe": "cpe:/a:redhat:trusted_artifact_signer:1.1::el9", "package": "registry.redhat.io/rhtas/gitsign-rhel9:sha256:bef55c43000f266cdb7cf6ea525f7c52f2ee532b7b487ae9752aac31ebded40f", "product_name": "Red Hat Trusted Artifact Signer 1.1", "release_date": "2025-04-10T00:00:00Z"}], "bugzilla": {"description": "go-jose: Go JOSE's Parsing Vulnerable to Denial of Service", "id": "2347423", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347423"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.", "A flaw was found in GO-JOSE. In affected versions, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code uses strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. This issue could be exploied by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service."], "mitigation": {"lang": "en:us", "value": "As a workaround, applications can pre-validate that payloads being passed to Go JOSE do not contain an excessive number of `.` characters."}, "name": "CVE-2025-27144", "package_state": [{"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Affected", "package_name": "cert-manager-operator-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Affected", "package_name": "jetstack-cert-manager-acmesolver-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Affected", "package_name": "jetstack-cert-manager-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Not affected", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Not affected", "package_name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-adapter-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/lokistack-gateway-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-agent-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-controller-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-installer-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-8-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/assisted-service-9-rhel9", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/hypershift-cli-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/hypershift-rhel9-operator", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Affected", "package_name": "oadp/oadp-mustgather-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines-client", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "authorino-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-must-gather-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:hybrid_cloud_gateway:1::el9", "fix_state": "Affected", "package_name": "authorino-container", "product_name": "Red Hat Connectivity Link"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "skopeo", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-node-agent-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-cli", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-cli-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-deployer", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-hypershift-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-olm-catalogd-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-olm-operator-controller-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-operator-framework-tools-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-operator-lifecycle-manager", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-operator-registry-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-tools-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "redhat/redhat-operator-index", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/mcg-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-metrics-exporter-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "opentelemetry-rhel8-operator", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "opentelemetry-target-allocator-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/dex-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/gitops-operator-bundle", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-argocd-rhel9-container", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_service_on_aws:1", "fix_state": "Affected", "package_name": "rosa", "product_name": "Red Hat OpenShift on AWS"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "kubevirt-tekton-tasks-test-rhel9-container", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-builder-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "createctconfig-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "ctlog-managectroots-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "fulcio-createcerts-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "trillian-createdb-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Will not fix", "package_name": "tuf-server-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2025-02-24T22:22:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-27144\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27144\nhttps://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22\nhttps://github.com/go-jose/go-jose/releases/tag/v4.0.5\nhttps://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"], "threat_severity": "Moderate"}