Lucene search
K

57 matches found

OSV
OSV
added 2026/07/07 1:10 p.m.7 views

ROOT-APP-PYPI-CVE-2026-27932 CVE-2026-27932 in rootio-joserfc - Patched by Root

Root has patched CVE-2026-27932 in the rootio-joserfc package for Root:PyPI. Multiple fixed versions available...

7.5CVSS5.8AI score0.00432EPSS
Exploits2
OSV
OSV
added 2026/07/07 1:10 p.m.4 views

ROOT-APP-PYPI-CVE-2026-49852 CVE-2026-49852 in rootio-joserfc - Patched by Root

Root has patched CVE-2026-49852 in the rootio-joserfc package for Root:PyPI. Multiple fixed versions available...

5.9AI score
Exploits0
OSV
OSV
added 2026/07/04 12:0 a.m.2 views

OPENSUSE-SU-2026:11183-1 python313-joserfc-1.7.2-2.1 on GA media

These are all security issues fixed in the python313-joserfc-1.7.2-2.1 package on the GA media of openSUSE Tumbleweed...

5.9AI score
Exploits0References1
Circl
Circl
added 2026/07/02 8:35 p.m.16 views

CVE-2026-49852

creationtimestamp| type| source ---|---|--- 2026-07-02 20:35:04+00:00| published-proof-of-concept| https://github.com/authlib/joserfc/security/advisories/GHSA-gg9x-qcx2-xmrh...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/07/02 7:12 p.m.4 views

GHSA-GG9X-QCX2-XMRH joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)

Summary joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None. HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/rfc7518/jwsalgs.py:62-70 feed whatever OctKey.getopkey... produced into hmac.new..., and...

8.7CVSS5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-55459

Name of the Vulnerable Software and Affected Versions joserfc versions 1.6.7 and earlier Description An authentication bypass exists when the verification key provided to joserfc.jwt.decode is an empty string or None. This occurs because the HMACAlgorithm.verify and HMACAlgorithm.sign functions...

8.7CVSS6AI score
Exploits0References9
EUVD
EUVD
added 2026/06/26 8:59 p.m.13 views

EUVD-2026-37805

joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization...

5.3CVSS5.8AI score0.00163EPSS
Exploits0References3
OSV
OSV
added 2026/06/26 8:59 p.m.3 views

GHSA-WPHV-VFRH-23Q5 joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization

RFC7797 b64=false JWS payloads bypass JWSRegistry payload-size limits during deserialization Summary Testing revealed that joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength. The normal JWS compact and flattened JSON paths reject payloads above...

5.3CVSS5.7AI score0.00163EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-48990

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joser...

5.3CVSS5.9AI score0.00163EPSS
Exploits0References3
OSV
OSV
added 2026/06/19 12:0 a.m.4 views

OPENSUSE-SU-2026:11067-1 python311-joserfc-1.7.1-1.1 on GA media

These are all security issues fixed in the python311-joserfc-1.7.1-1.1 package on the GA media of openSUSE Tumbleweed...

5.3CVSS5.9AI score0.00163EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/18 5:1 p.m.10 views

CVE-2026-48990

A flaw was found in joserfc, a Python library for JSON Object Signing and Encryption JOSE. This vulnerability allows a remote attacker to cause resource exhaustion, leading to a Denial of Service DoS, by sending oversized JSON Web Signature JWS payloads. The library fails to apply size limits,...

5.3CVSS5.3AI score0.00163EPSS
Exploits0References5
NVD
NVD
added 2026/06/17 10:16 p.m.12 views

CVE-2026-48990

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...

5.3CVSS0.00163EPSS
Exploits0References2
OSV
OSV
added 2026/06/17 10:16 p.m.6 views

DEBIAN-CVE-2026-48990

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...

5.3CVSS5.4AI score0.00163EPSS
Exploits0References1
OSV
OSV
added 2026/06/17 10:16 p.m.8 views

UBUNTU-CVE-2026-48990

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...

5.3CVSS5.8AI score0.00163EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/06/17 9:8 p.m.10 views

CVE-2026-48990

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...

5.3CVSS5.4AI score0.00163EPSS
Exploits0
CVE
CVE
added 2026/06/17 9:8 p.m.45 views

CVE-2026-48990

In joserfc (Python), CVE-2026-48990 affects versions 1.3.4–1.6.5 where oversized RFC7797 b64=false JWS payloads bypass JWSRegistry.max_payload_length during deserialization, enabling potential resource exhaustion. The standard JWS compact/flattened paths enforce the payload limit via ExceededSize...

5.3CVSS5.4AI score0.00163EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/17 9:8 p.m.25 views

CVE-2026-48990 joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...

5.3CVSS0.00163EPSS
Exploits0References2
OSV
OSV
added 2026/06/17 9:8 p.m.4 views

CVE-2026-48990 joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength, which can lead to resource exhaustion...

5.3CVSS5.9AI score0.00163EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/03/07 12:0 a.m.5 views

openSUSE 16 Security Update : python-joserfc (openSUSE-SU-2026:20322-1)

The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20322-1 advisory. Changes in python-joserfc: - CVE-2026-27932: unbounded PBKDF2 iteration count can lead to a denial of service bsc1259154 Tenable has extracted the...

7.5CVSS5.9AI score0.00432EPSS
Exploits2References3
OPENSUSE Linux
OPENSUSE Linux
added 2026/03/06 12:0 a.m.6 views

python311-joserfc-1.6.3-1.1 on GA media (moderate)

python311-joserfc-1.6.3-1.1 on GA media Announcement ID: openSUSE-SU-2026:10293-1 Rating: moderate Cross-References: CVE-2026-27932 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...

7.5CVSS5.8AI score0.00432EPSS
Exploits2
Rows per page
Query Builder