AZL-11032

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-11032.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-11032

Upstream

CVE-2022-39227

Published

2022-09-23T07:15:09Z

Modified

2026-04-21T04:21:45.841393Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

CVE-2022-39227 affecting package python-jwt for versions less than 2.4.0-2

Details

python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-39227

Affected packages

Azure Linux:2 / python-jwt

Package

Name: python-jwt
Purl: pkg:rpm/azure-linux/python-jwt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-11032.json"