CVE-2017-11424

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-11424

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-11424.json

Aliases

Related

Published

2017-08-24T16:29:00Z

Modified

2023-11-29T05:57:01.485204Z

Details

In PyJWT 1.5.0 and below the invalid_strings check in HMACAlgorithm.prepare_key does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.

References

Affected packages

Git / github.com/jpadilla/pyjwt

Affected ranges

Type: GIT
Repo: https://github.com/jpadilla/pyjwt
Events: Introduced

0The exact introduced commit is unknown

Last affected

908ee84aeefb8126a94e48e88ba9916d9d2512b3

Affected versions

0.*

0.1.6

0.1.9

0.2.0

0.2.2

0.2.3

0.3.0

0.3.1

0.3.2

0.4.0

0.4.1

0.4.2

0.4.3

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.4.0

1.4.1

1.4.2

1.5.0