Lucene search

K
redhatcveRedhat.comRH:CVE-2022-29217
HistoryMay 25, 2022 - 2:21 a.m.

CVE-2022-29217

2022-05-2502:21:09
redhat.com
access.redhat.com
59
python-jwt
vulnerability
jwt signing algorithms
key confusion

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

45.5%

A vulnerability was found in python-jwt. This issue happens when PyJWT supports multiple different JWT signing algorithms. This flaw allows an attacker submitting the JWT token to choose the used signing algorithm, leading to key confusion through non-blocklisted public key formats.

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

45.5%