CVE-2022-39227

Опубликовано: 23 сент. 2022

Источник: redhat

CVSS3: 9.1

Описание

python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

A flaw was found in python-jwt, where it was subject to Authentication Bypass vulnerability by spoofing, resulting in identity spoofing, session hijacking, or authentication bypass. This flaw allows an attacker who obtains a JWT to arbitrarily forge its contents without knowing the secret key. Depending on the application, the attacker can spoof other users' identities, hijack their sessions, or bypass authentication.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Ceph Storage 4	python-jwt	Affected
Red Hat Enterprise Linux 7	python-jwt	Not affected
Red Hat Enterprise Linux 8	python-jwt	Not affected
Red Hat OpenStack Platform 13 (Queens)	python-jwt	Affected
Red Hat Storage 3	python-jwt	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-290

https://bugzilla.redhat.com/show_bug.cgi?id=2129744python-jwt: token forgery with new claims

9.1 Critical

CVSS3

Связанные уязвимости

CVE-2022-39227

CVSS3: 9.1

nvd

больше 3 лет назад

CVE-2022-39227

CVSS3: 9.1

msrc

больше 3 лет назад

Описание отсутствует

GHSA-5p8v-58qm-c7fp

CVSS3: 9.1

github

больше 3 лет назад

python-jwt vulnerable to token forgery with new claims

9.1 Critical

CVSS3