Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-29217

Опубликовано: 12 мая 2022
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms() to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms() has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

A vulnerability was found in python-jwt. This issue happens when PyJWT supports multiple different JWT signing algorithms. This flaw allows an attacker submitting the JWT token to choose the used signing algorithm, leading to key confusion through non-blocklisted public key formats.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 2automation-controllerAffected
Red Hat Ansible Automation Platform 2python-pulp-containerAffected
Red Hat Ansible Automation Platform 2python-pyjwtAffected
Red Hat Ceph Storage 4python-adalAffected
Red Hat Ceph Storage 4python-jwtAffected
Red Hat Ceph Storage 5python-adalWill not fix
Red Hat Enterprise Linux 7python-adalNot affected
Red Hat Enterprise Linux 7python-jwtNot affected
Red Hat Enterprise Linux 8python-jwtWill not fix
Red Hat Enterprise Linux 9fence-agentsWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-327
https://bugzilla.redhat.com/show_bug.cgi?id=2088544python-jwt: Key confusion through non-blocklisted public key formats

EPSS

Процентиль: 59%
0.00393
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-29217

CVSS3: 7.4
ubuntu
около 3 лет назад

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

nvd логотип

CVE-2022-29217

CVSS3: 7.4
nvd
около 3 лет назад

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

msrc логотип

CVE-2022-29217

CVSS3: 7.5
msrc
около 3 лет назад

Описание отсутствует

debian логотип

CVE-2022-29217

CVSS3: 7.4
debian
около 3 лет назад

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple ...

suse-cvrf логотип

SUSE-SU-2023:0794-1

suse-cvrf
больше 2 лет назад

Security update for python-PyJWT

EPSS

Процентиль: 59%
0.00393
Низкий

7.5 High

CVSS3

Уязвимость CVE-2022-29217