Lucene search
Redhat.comRH:CVE-2017-11424HistoryAug 25, 2017 - 8:48 a.m.
CVE-2017-11424
2017-08-2508:48:29
redhat.com
access.redhat.com
12
0.001 Low
EPSS
Percentile
35.3%
In PyJWT 1.5.0 and below the invalid_strings check in HMACAlgorithm.prepare_key does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.
Related
debian
debian
[SECURITY] [DSA 3979-1] pyjwt security update
2017-09-19 20:55:50
github
github
PyJWT vulnerable to key confusion attacks
2022-05-13 01:42:19
nessus
nessus
Debian DSA-3979-1 : pyjwt - security update
2017-09-20 00:00:00
Fedora 26 : python-jwt (2017-b9f07dfaca)
2017-09-25 00:00:00
Fedora 27 : python-jwt (2017-0cc84101de)
2018-01-15 00:00:00
veracode
veracode
Key Confusion Attacks
2017-08-16 22:26:05
openvas
openvas
Fedora Update for python-jwt FEDORA-2017-b9f07dfaca
2017-09-28 00:00:00
Ubuntu: Security Advisory (USN-3407-1)
2018-10-26 00:00:00
Debian: Security Advisory (DSA-3979-1)
2017-09-18 00:00:00
fedora
fedora
[SECURITY] Fedora 27 Update: python-jwt-1.5.3-1.fc27
2017-09-30 07:36:29
[SECURITY] Fedora 26 Update: python-jwt-1.5.3-1.fc26
2017-09-25 00:53:39
debiancve
debiancve
CVE-2017-11424
2017-08-24 16:29:00
osv
osv
pyjwt - security update
2017-09-19 00:00:00
PyJWT vulnerable to key confusion attacks
2022-05-13 01:42:19
CVE-2017-11424
2017-08-24 16:29:00
prion
prion
Type confusion
2017-08-24 16:29:00
ubuntucve
ubuntucve
CVE-2017-11424
2017-08-24 00:00:00
cvelist
cvelist
CVE-2017-11424
2017-08-24 16:00:00
nvd
nvd
CVE-2017-11424
2017-08-24 16:29:00
CVE-2017-12880
2017-08-16 14:29:00
cve
cve
CVE-2017-11424
2017-08-24 16:29:00
CVE-2017-12880
2017-08-16 14:29:00
ubuntu
ubuntu
PyJWT vulnerability
2017-08-30 00:00:00