{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-17T00:00:00Z",
  "bugzilla" : {
    "description" : "python-jose: python-jose: Denial-of-Service via malicious JSON Web Encryption (JWE) token decompression",
    "id" : "2423195",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2423195"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-409",
  "details" : [ "In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.", "A flaw was found in python-jose. This vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio, leading to significant memory allocation and processing time during decompression." ],
  "statement" : "This vulnerability is rated Moderate for Red Hat products as it allows an attacker to cause a Denial-of-Service (DoS) by crafting a malicious JSON Web Encryption (JWE) token. When processed by applications utilizing `python-jose`, this token can lead to excessive memory allocation and processing time during decompression. This affects Red Hat Ansible Automation Platform, OpenShift Lightspeed, Red Hat OpenShift AI, and other services that use `python-jose` for JWE token handling.",
  "package_state" : [ {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Not affected",
    "package_name" : "openshift-lightspeed/lightspeed-ocp-rag-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-25/lightspeed-chatbot-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-26/lightspeed-chatbot-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "python-jose",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-llama-stack-core-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-trustyai-ragas-lls-provider-dsp-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-29370\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29370\nhttps://github.com/mpdavis/python-jose/issues/344" ],
  "name" : "CVE-2024-29370",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}