GHSA-5357-c2jx-v7qh

Suggest an improvement
Source
https://github.com/advisories/GHSA-5357-c2jx-v7qh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-5357-c2jx-v7qh/GHSA-5357-c2jx-v7qh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5357-c2jx-v7qh
Aliases
Published
2024-06-09T21:30:33Z
Modified
2024-06-25T02:33:56.000794Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Authlib has algorithm confusion with asymmetric public keys
Details

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

References

Affected packages

PyPI / authlib

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.1

Affected versions

0.*

0.1rc0
0.1
0.2
0.2.1
0.3
0.4
0.4.1
0.5
0.5.1
0.6
0.7
0.8
0.9
0.10
0.11
0.12
0.12.1
0.13
0.14
0.14.1
0.14.2
0.14.3
0.15
0.15.1
0.15.2
0.15.3
0.15.4
0.15.5
0.15.6

1.*

1.0.0a1
1.0.0a2
1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0
1.0.1
1.1.0
1.2.0
1.2.1
1.3.0