CVE-2024-21664: 
NixOS vulnerability analysis and mitigation

CVE-2024-21664 affects the jwx Go module, which implements various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. The vulnerability was discovered and disclosed in January 2024, specifically affecting versions prior to 2.0.19 and 1.2.28. The issue occurs when calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent, leading to a nil pointer dereference (GitHub Advisory, NVD).

The vulnerability stems from an assumption in the jws/message.go:UnmarshalJSON() function that if a signature field is present, then a protected field must also be present. When this assumption is violated, the subsequent call to getB64Value(sig.protected) attempts to dereference sig.protected, which is nil, resulting in a panic. The issue affects both the jws.Parse function directly and other functions that call Parse internally, such as jws.Verify. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L (GitHub Advisory).

The vulnerability can be exploited to cause a Denial of Service (DoS) condition by crashing systems performing JWS verification. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (GitHub Advisory).

The vulnerability has been patched in versions 2.0.19 and 1.2.28. Users should upgrade to these or later versions. The fix ensures that jws.Parse function succeeds in parsing a JWS message lacking a protected header, while jws.Verify on such messages will result in a failed verification attempt rather than a panic (NVD).