13 matches found
SUSE CVE-2017-11424
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
K000132202: PyJWT vulnerability CVE-2017-11424
Security Advisory Description In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is...
airavata-custos-portal (>=0.0.1 <=0.0.6), airavata-custos-portal-sdk (=0.0.1) +27 more potentially affected by CVE-2017-11424 via pyjwt (>=0.2.1 <=1.5.0)
pyjwt PYPI version =0.2.1, =0.0.1, =1.0.9, =1.0.2, =0.10.0, =0.0.1, =0.5.0, =0.1.1, =1.0.0a2, =0.4.15, =2.1.0, =0.1.1, =1.0.2, =1.3.2 - dv-pyclient =0.1.15 and more Source cves: CVE-2017-11424 Source advisory: OSV:GHSA-R9JW-MWHQ-WP62...
Ubuntu: Security Advisory (USN-3407-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
openSUSE Security Update : python3-PyJWT (openSUSE-2017-1178)
This update for python3-PyJWT fixes the following vulnerability : - CVE-2017-11424: Insufficient filtering of PEM encoding public keys allowed for creation of JWTs from scratch boo1054106, with duplicate CVE-2017-12880 %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and...
Fedora Update for python-jwt FEDORA-2017-b9f07dfaca
The remote host is missing an update for the SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fedora 26 : python-jwt (2017-b9f07dfaca)
Upgrade to 1.5.3 and also note that 1.5.1 fixed CVE-2017-11424. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing...
Debian DSA-3979-1 : pyjwt - security update
It was discovered that PyJWT, a Python implementation of JSON Web Token performed insufficient validation of some public key types, which could allow a remote attacker to craft JWTs from scratch. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this...
[SECURITY] [DSA 3979-1] pyjwt security update
------------------------------------------------------------------------- Debian Security Advisory DSA-3979-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff September 19, 2017 https://www.debian.org/security/faq -...
Debian: Security Advisory (DSA-3979-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
airavata-custos-portal (>=0.0.1 <=0.0.6), airavata-custos-portal-sdk (=0.0.1) +27 more potentially affected by CVE-2017-11424 via pyjwt (>=0.2.1 <=1.5.0)
pyjwt PYPI version =0.2.1, =0.0.1, =1.0.9, =1.0.2, =0.10.0, =0.0.1, =0.5.0, =0.1.1, =1.0.0a2, =0.4.15, =2.1.0, =0.1.1, =1.0.2, =1.3.2 - dv-pyclient =0.1.15 and more Source cves: CVE-2017-11424 Source advisory: OSV:PYSEC-2017-24...
CVE-2017-11424
CVE-2017-11424 affects PyJWT 1.5.0 and earlier, where the invalid_strings check in HMACAlgorithm.prepare_key fails to account for all PEM public-key formats (notably PKCS1 PEM prefixed with -----BEGIN RSA PUBLIC KEY-----), enabling key confusion attacks that could let an attacker craft JWTs from ...
CVE-2017-12880
PyJWT CVE-2017-12880 concerns symmetric/asymmetric key confusion when handling PKCS1 PEM public keys. Connected advisories note the issue is fixed in PyJWT updates (openSUSE/SUSE advisories) and that CVE-2017-12880 is referenced alongside CVE-2017-11424 (duplicate). The available documents do not...