UBUNTU-CVE-2022-29217

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2022-29217

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-29217.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2022-29217

Related

Published

2022-05-24T15:15:00Z

Modified

2025-01-13T10:23:28Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms() to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms() has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

References

Affected packages

Ubuntu:18.04:LTS / pyjwt

Package

Name: pyjwt
Purl: pkg:deb/ubuntu/pyjwt@1.5.3+ds1-1ubuntu0.1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.3+ds1-1ubuntu0.1

Affected versions

1.*

1.4.2-1.1

1.5.3+ds1-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.5.3+ds1-1ubuntu0.1",
            "binary_name": "python-jwt"
        },
        {
            "binary_version": "1.5.3+ds1-1ubuntu0.1",
            "binary_name": "python3-jwt"
        }
    ]
}

Ubuntu:20.04:LTS / pyjwt

Package

Name: pyjwt
Purl: pkg:deb/ubuntu/pyjwt@1.7.1-2ubuntu2.1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.1-2ubuntu2.1

Affected versions

1.*

1.7.0-2

1.7.1-1

1.7.1-2ubuntu1

1.7.1-2ubuntu2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.7.1-2ubuntu2.1",
            "binary_name": "python3-jwt"
        }
    ]
}

Ubuntu:22.04:LTS / pyjwt

Package

Name: pyjwt
Purl: pkg:deb/ubuntu/pyjwt@2.3.0-1ubuntu0.1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.0-1ubuntu0.1

Affected versions

1.*

1.7.1-2ubuntu2

2.*

2.1.0-1

2.3.0-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "2.3.0-1ubuntu0.1",
            "binary_name": "python3-jwt"
        }
    ]
}