Описание
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python-authlib | fixed | 1.3.1-1 | package | |
| python-authlib | no-dsa | bookworm | package |
Примечания
https://github.com/lepture/authlib/issues/654
https://github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1 (v1.3.1)
EPSS
Связанные уязвимости
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)
Authlib has algorithm confusion with asymmetric public keys
EPSS