Описание
pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).
A flaw was found in pyjwt. The library uses weak encryption, allowing an attacker to potentially decrypt sensitive data. A network-based attacker can exploit this vulnerability without authentication, possibly resulting in a denial of service or data exposure. This weakness stems from the use of inadequate cryptographic algorithms.
Отчет
The severity of this vulnerability is rated Moderate, as it does not impact system availability. The effects are confined to the application layer, without compromising the underlying system stability.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9 | Affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-cni-rhel9 | Affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-must-gather-rhel9 | Affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-pilot-rhel9 | Affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-proxyv2-rhel9 | Affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-rhel9-operator | Affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-sail-operator-bundle | Affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel8 | Affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.6 Medium
CVSS3
Связанные уязвимости
pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).
pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is ...
pyjwt v2.10.1 was discovered to contain weak encryption.
EPSS
5.6 Medium
CVSS3