Описание
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)
| Релиз | Статус | Примечание |
|---|---|---|
| devel | needs-triage | |
| esm-apps/jammy | needed | |
| esm-apps/noble | needed | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | needed | |
| mantic | ignored | end of life, was needed |
| noble | needed | |
| oracular | ignored | end of life, was needs-triage |
| plucky | ignored | end of life, was needs-triage |
Показывать по
10
7.5 High
CVSS3
Связанные уязвимости
CVSS3: 7.5
nvd
больше 1 года назад
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)
CVSS3: 7.5
debian
больше 1 года назад
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric p ...
CVSS3: 7.4
github
больше 1 года назад
Authlib has algorithm confusion with asymmetric public keys
7.5 High
CVSS3