Описание
Security update for python-Authlib
This update for python-Authlib fixes the following issues:
Changes in python-Authlib:
- CVE-2026-27962: JWS
deserialize_compact()allows for signature bypass by accepting user-controlled embedded JWK as verification key (bsc#1259738) - CVE-2026-28490: cryptographic padding oracle in JWE RSA1_5 key management algorithm (bsc#1259736)
- CVE-2026-28498: fail-open in behavior OIDC hash validation allows for bypass mandatory integrity protections (bsc#1259737)
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1259736
- SUSE Bug 1259737
- SUSE Bug 1259738
- SUSE CVE CVE-2026-27962 page
- SUSE CVE CVE-2026-28490 page
- SUSE CVE CVE-2026-28498 page
Описание
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid - bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.
Затронутые продукты
Ссылки
- CVE-2026-27962
- SUSE Bug 1259738
Описание
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.
Затронутые продукты
Ссылки
- CVE-2026-28490
- SUSE Bug 1259736
Описание
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.
Затронутые продукты
Ссылки
- CVE-2026-28498
- SUSE Bug 1259737