TencentOS Server 4: python-jwt (TSSA-2026:0427)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2026:0427.
##

include('compat.inc');

if (description)
{
  script_id(319736);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/08");

  script_cve_id(
    "CVE-2026-48522",
    "CVE-2026-48523",
    "CVE-2026-48524",
    "CVE-2026-48525"
  );

  script_name(english:"TencentOS Server 4: python-jwt (TSSA-2026:0427)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0427 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2026-48525:
    PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS
    tokens using the unencoded-payload option (b64: false, RFC 7797), PyJWT performs Base64URL decoding of
    the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false,
    PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In
    practice, this turns the middle segment into an attacker-controlled work amplifier: a remote client can
    supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if
    the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies
    detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.

    CVE-2026-48524:
    PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces
    a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting.
    Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The
    vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with
    sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting,
    transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0.

    CVE-2026-48523:
    PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side
    algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The
    token header alg is checked against the caller-supplied algorithms allow-list, but signature verification
    is performed with the algorithm bound to the PyJWK object instead of the header algorithm. An attacker who
    controls a registered JWK/JWKS private key can sign with a disallowed algorithm, advertise an allowed
    algorithm in the JWT header, and still be accepted. The issue affects the documented
    PyJWKClient.get_signing_key_from_jwt(...) flow. This vulnerability is fixed in 2.13.0.

    CVE-2026-48522:
    PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument
    directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering
    HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented
    option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path
    accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the
    attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause
    PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies
    as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained
    'plant a JWKS to forge tokens' scenario described in the original report requires additional application-
    layer flaws (attacker write access to a filesystem path, untrusted jku derivation) that this fix does not
    address. This vulnerability is fixed in 2.13.0.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20260427.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-48523");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:python-jwt");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '4',
    'pkgs': [
      {'reference':'python3-jwt+crypto-2.13.0-1.tl4', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'python3-jwt-2.13.0-1.tl4', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python3-jwt / python3-jwt+crypto');
}