{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-29370","title":"Title"},{"category":"description","text":"In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-29370","url":"https://www.suse.com/security/cve/CVE-2024-29370"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1255393 for CVE-2024-29370","url":"https://bugzilla.suse.com/1255393"}],"title":"SUSE CVE CVE-2024-29370","tracking":{"current_release_date":"2025-12-20T00:51:40Z","generator":{"date":"2025-12-20T00:51:40Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-29370","initial_release_date":"2025-12-20T00:51:40Z","revision_history":[{"date":"2025-12-20T00:51:40Z","number":"2","summary":"vulnerabilities added,references added,severity changed from  to important"}],"status":"interim","version":"2"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"openSUSE Leap 15.6","product":{"name":"openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.6"}}},{"category":"product_version","name":"python-python-jose","product":{"name":"python-python-jose","product_id":"python-python-jose","product_identification_helper":{"purl":"pkg:rpm/suse/python-python-jose@"}}},{"category":"product_version","name":"python311-python-jose","product":{"name":"python311-python-jose","product_id":"python311-python-jose","product_identification_helper":{"purl":"pkg:rpm/suse/python311-python-jose@?upstream=python-python-jose.src.rpm"}}},{"category":"product_version","name":"python311-python-jose-cryptography","product":{"name":"python311-python-jose-cryptography","product_id":"python311-python-jose-cryptography","product_identification_helper":{"purl":"pkg:rpm/suse/python311-python-jose-cryptography@?upstream=python-python-jose.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"python311-python-jose as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:python311-python-jose"},"product_reference":"python311-python-jose","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"python311-python-jose-cryptography as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:python311-python-jose-cryptography"},"product_reference":"python311-python-jose-cryptography","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"python-python-jose as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:python-python-jose"},"product_reference":"python-python-jose","relates_to_product_reference":"openSUSE Leap 15.6"}]},"vulnerabilities":[{"cve":"CVE-2024-29370","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-29370"}],"notes":[{"category":"general","text":"In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.","title":"CVE description"}],"product_status":{"known_affected":["openSUSE Leap 15.6:python-python-jose","openSUSE Leap 15.6:python311-python-jose","openSUSE Leap 15.6:python311-python-jose-cryptography"]},"references":[{"category":"external","summary":"CVE-2024-29370","url":"https://www.suse.com/security/cve/CVE-2024-29370"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1255393 for CVE-2024-29370","url":"https://bugzilla.suse.com/1255393"}],"threats":[{"category":"impact","date":"2025-12-17T17:02:42Z","details":"important"}],"title":"CVE-2024-29370"}]}