Key confusion through non-blocklisted public key formats

Impact What kind of vulnerability is it? Who is impacted? Disclosed by Aapo Oksman Senior Security Specialist, Nixu Corporation. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requir...

GHSA-FFQJ-6FQR-9H24 Key confusion through non-blocklisted public key formats

Impact What kind of vulnerability is it? Who is impacted? Disclosed by Aapo Oksman Senior Security Specialist, Nixu Corporation. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requir...

CVE-2022-29217

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

AZL-9852 CVE-2022-29217 affecting package python-jwt for versions less than 2.4.0-1

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

CVE-2022-29217

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

Code injection

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

00-merlin-hu-mcpdemo-pipy (>=0.1.0 <=0.1.1), 00-renjing-mcp-server-pypi (=0.1.0) +37574 more potentially affected by CVE-2022-29217 via pyjwt (>=1.5.0 <=2.3.0)

pyjwt PYPI version =1.5.0, =0.1.0, =0.1.0, =0.1.6, =0.1.2, =0.1.1, =0.1.0, =0.1.0, =0.6.1 and more Source cves: CVE-2022-29217 Source advisory: OSV:PYSEC-2022-202...

UBUNTU-CVE-2022-29217

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

PYSEC-2022-202

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

CVE-2022-29217 Key confusion through non-blocklisted public key formats in PyJWT

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

CVE-2022-29217 Key confusion through non-blocklisted public key formats in PyJWT

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

CVE-2022-29217 Key confusion through non-blocklisted public key formats in PyJWT

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

CVE-2022-29217

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

CVE-2022-29217

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can...

CVE-2022-29217

CVE-2022-29217 affects the Python PyJWT library (jwt handling for RFC 7519). The root cause is algorithm confusion when decoding tokens if the application does not restrict accepted algorithms; allowing unintended verification behavior across signing algorithms. The issue is mitigated by upgradin...

PyJWT vulnerable to key confusion attacks

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

Python 加密问题漏洞

pyjwt is a Python library by the individual developer José Padilla in the United States. It allows encoding and decoding of JSON Web Tokens JWT. A cryptographic issue vulnerability exists in pyjwt versions 1.5.0 - 2.3.0, which stems from the use of a corrupted or risky cryptographic algorithm. A...

PT-2022-7130 · Pypi +4 · Pyjwt +4

Name of the Vulnerable Software and Affected Versions: PyJWT versions prior to 2.4.0 Description: The issue is related to the implementation of JWT in Python PyJWT, where an attacker can exploit the lack of restrictions on certain open key formats. This allows a remote attacker to impact the...

SUSE SLES12 Security Update : python-PyJWT (SUSE-SU-2021:2010-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2021:2010-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. File data...

SUSE: Security Advisory (SUSE-SU-2021:2010-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...