PYSEC-2024-52

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/authlib/PYSEC-2024-52.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2024-52

Aliases

Published

2024-06-09T19:15:00Z

Modified

2024-06-10T16:27:33.888395Z

Summary

[none]

Details

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

References

https://github.com/lepture/authlib/issues/654

Affected packages

PyPI / authlib

Package

Name: authlib; View open source insights on deps.dev
Purl: pkg:pypi/authlib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.1

Affected versions

0.*

0.1rc0

0.1

0.2

0.2.1

0.3

0.4

0.4.1

0.5

0.5.1

0.6

0.7

0.8

0.9

0.10

0.11

0.12

0.12.1

0.13

0.14

0.14.1

0.14.2

0.14.3

0.15

0.15.1

0.15.2

0.15.3

0.15.4

0.15.5

0.15.6

1.*

1.0.0a1

1.0.0a2

1.0.0b1

1.0.0b2

1.0.0rc1

1.0.0

1.0.1

1.1.0

1.2.0

1.2.1

1.3.0