CVE-2023-52428: 
Java vulnerability analysis and mitigation

In Connect2id Nimbus JOSE+JWT before version 9.37.2, a vulnerability was discovered that allows attackers to cause a denial of service through resource consumption. The vulnerability (CVE-2023-52428) specifically involves the manipulation of the JWE p2c header value (iteration count) targeting the PasswordBasedDecrypter (PBKDF2) component (NVD, CVE).

The vulnerability affects the PasswordBasedDecrypter component of Nimbus JOSE+JWT, specifically targeting its PBKDF2 implementation. The issue stems from the lack of limits on the JWE p2c header value, which represents the iteration count for password-based encryption. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without authentication (NVD).

When successfully exploited, this vulnerability can lead to denial of service through excessive resource consumption. The attack specifically targets the system's computational resources by manipulating the iteration count in the password-based encryption process, potentially causing service disruption (NVD).

The vulnerability has been fixed in Nimbus JOSE+JWT version 9.37.2. Users are strongly advised to upgrade to this version or later. The fix was implemented through commit 3b3b77e, which enforces limits on the maximum allowed JWE p2c header value (Bitbucket Issue, Bitbucket Patch).

The vulnerability was reported and tracked through Bitbucket issue #526. The maintainers have indicated that there are no plans to backport this fix to version 8.x, focusing instead on maintaining the 9.x branch which is used in their commercial products (Bitbucket Issue).