CVE-2023-49290: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2023-49290) affects lestrrat-go/jwx, a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT) technologies. The issue was discovered in December 2023 and involves a potential denial of service vulnerability when a p2c parameter is set too high in JWE's algorithm PBES2-*. The vulnerability affects versions up to 1.2.27 and versions from 2.0.0 up to 2.0.18 (GitHub Advisory, NVD).

The vulnerability stems from the JWE key management algorithms based on PBKDF2, which require a JOSE Header Parameter called p2c (PBES2 Count). This parameter controls the number of PBKDF2 iterations needed to derive a CEK wrapping key. While its primary purpose is to intentionally slow down key derivation for security purposes, setting this parameter to an extremely large value can cause excessive computational consumption. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

The vulnerability can lead to a denial of service (DoS) attack by causing excessive CPU resource consumption. When exploited, it can significantly impact system availability by forcing the system to perform resource-intensive computations (GitHub Advisory).

The vulnerability has been addressed in commit 64f2a229b and included in release versions 1.2.27 and 2.0.18. Users are strongly advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (NVD).