PYSEC-2022-259

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml

Aliases

CVE-2022-39227
GHSA-5p8v-58qm-c7fp

Published

2022-09-01T18:51:51Z

Modified

2023-11-08T04:10:15.713930Z

Details

An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication.

References

https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9

Affected packages

PyPI / python-jwt

Package

Name: python-jwt

Affected ranges

Type: GIT
Repo: https://github.com/davedoesdev/python-jwt
Events: Introduced

f6d1451012c6a04c2fb1940f0bbd93bb6cf2b025

Fixed

88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.3.4

Affected versions

3.*

3.0.0

3.1.0

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.3.0

3.3.1

3.3.2

3.3.3