The jose4j component prior to 0.9.4 for Java allows malicious users to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.