In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

oracle CPUApr2026: Oracle Siebel CRM

The remote SUSE Linux SLES15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2026:1010-1 advisory.

    branch-network-formula:

    - Update to version 1.1.0
      * Enable containers on SLE15SP7
      * Exclude podman interfaces from sysctl setting

    cobbler:

    - Compatibility fixes for tftpboot directory setup

    inter-server-sync:

    - Version 0.3.10-0
      * Write log to a rotated file without rsyslog and logrotate
      * Recreate cobbler entries on the import (bsc#1220899)
      * remove support for 4.2 file based pillars
      * use correct hostname detection for 5.x servers         (bsc#1253322)

    jose4j:

    - CVE-2024-29371: Safeguard against excessive resource utilization       by restricting the size of data during JWE payload decompression       (bsc#1255298)

    liberate-formula:

    - Version 0.1.2
      * Add option to prevent logo packages from being installed

    spacecmd:

    - Version 5.0.15-0
      * Fix typo in spacecmd help ca-cert flag (bsc#1253174)
      * Convert cached IDs to int (bsc#1251995)
      * Fix spacecmd binary file upload (bsc#1253659)

    spacewalk-backend:

    - Version 5.0.17-0
      * Fix reposync mediaproduct fetch when         URL contains auth token (bsc#1252388)

    spacewalk-certs-tools:

    - Version 5.0.13-0
      * Fix bootstrap script for SLM 6.2 (bsc#1257992)
      * Fix failing bootstrap with bootstrap script on SLES 16         and SL Micro 6.2 (bsc#1256991)

    spacewalk-client-tools:

    - Version 5.0.12-0
      * Update translation strings

    spacewalk-config:

    - Version 5.0.9-0
      * Enable HSTS in Apache config (bsc#1255176)
      * Force SameSite=Lax on all Set-Cookie headers (bsc#1253711)

    spacewalk-java:

    - Version 5.0.31-0
      * Commit DB changes before refreshing pillar for SSH push minions         (bsc#1253712)
      * Fix http proxy verification (bsc#1253501)
      * Fix: Broken URL in API docs (bsc#1244177)
      * Fix crash in ubuntu errata sync on deleted channel ids         (bsc#1250561)
      * Fix dnf updateinfo showing wrong severity for         security updates (bsc#1252937)
      * Add details on config channels and state order in UI         (bsc#1253285)
      * fix reposync crashing at metadata generation (bsc#1257538)
      * Block multiple versions of the same package         from being locked (bsc#1246315)
      * Use PackageEvr instead of string for fix_version (bsc#1252638)
      * Add multi-thread support for message queue (bsc#1247722)
      * Fix ungrouped systems list menu item (bsc#1254251)

    spacewalk-proxy:

    - Version 5.0.8-0
      * Disable listing the content of /icons (bsc#1247544)

    spacewalk-proxy-installer:

    - Version 5.0.3-0
      * Configure squid replacement policy properly before cache dir         (bsc#1253773)

    spacewalk-web:

    - Version 5.0.26-0
      * Update web UI dependencies
      * Add details on config channels and state order in UI         (bsc#1253285)

    susemanager:

    - Version 5.0.17-0
      * Fix the product ids of client tools channels
      * Fixed the package name to correct one (bsc#1255089)

    susemanager-build-keys:

    - Add openSUSE Backports for SUSE Linux 16 key (bsc#1257255)

    susemanager-docs_en:

    - Updated the screenshots in multiple sections in Installation and Upgrade Guide
    - Reformatted storage-scripts table to use plain paragraphs instead of bullet       lists to fix po4a extraction issue causing missing bullets in CJK translations
    - Added a warning for all instances where mgradm upgrade podman is used
    - Added section about container-based Kiwi image build support to Administration       guide (bsc#1251865)
    - Included global GPG decryption for pillar data in specialized guide       (bsc#1255743)
    - CIS removed from list of supported OpenSCAP profiles
    - Changes example for the third-party repository GPG keys (bsc#1255857)
    - Added SLE16 and openSUSE Leap 16 as supported clients
    - Explained how to generate the proxy certificates on a peripheral server       (bsc#1249425)
    - Improved procedure formatting for better clarity in Administration Guide       (bsc#1253660)
    - Added links to man pages for createrepo_c and reprepro to Administration       Guide (bsc#1237181)
    - Added missing options to command example in Installation and Upgrade Guide       (bsc#1252908)
    - Added non-SUSE URLs to requirements in installation and Upgrade Guide       (bsc#1252665)
    - Fixed typo for command options in Reference Guide (bsc#1253174)
    - Added additional step for client deletion in Client Configuration Guide       (bsc#1253249)
    - Clarified server config option for spacemd in Refrence Guide (bsc#1253197)
    - Changed the installation instructions to use product instead of packages       (bsc#1249041)

    susemanager-schema:

    - Version 5.0.18-0
      * Refactor oval related tables (bsc#1252638)
      * Increase size of column 'context' on tables         'suseappstream' and 'suseserverappstream' (bsc#1255653)
      * Add leftovers of partially missing ARMHF for Debian (bsc#1248783)

    susemanager-sls:

    - Version 5.0.21-0
      * Fix error on shutdown for sles 12 (bsc#1255634)
      * Fix bootstrap for SLM 6.2 and newer (bsc#1257992)
      * Make mgr_events salt engine non-blocking on reading events
      * Avoid losing the events on DB connection issues (bsc#1252098)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of IBM WebSphere Application Server running on the remote host is affected by a DoS vulnerability as referenced in the 7261794 advisory.

  - In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious     JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed     by the server, it results in significant memory allocation and processing time during decompression.
    (CVE-2024-29371)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious     JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed     by the server, it results in significant memory allocation and processing time during decompression.
    (CVE-2024-29371)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
303781	SUSE SLES15 : Security update 5.0.7 for Multi-Linux Manager Proxy (SUSE-SU-2026:1010-1)	Nessus	SuSE Local Security Checks	high
300110	IBM WebSphere Application Server 8.5.5.3 < 8.5.5.30 / 9.x < 9.0.5.27 / Liberty 21.0.0.3 < 26.0.0.3 DoS (7261794)	Nessus	Web Servers	high
279260	Linux Distros Unpatched Vulnerability : CVE-2024-29371	Nessus	Misc.	high

Detections

Analytics

CVE-2024-29371

high

Tenable Plugins

Coming Soon

high

high

high