Fedora: Security Advisory (FEDORA-2024-2e9c58d661)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 39 Update: python-authlib-1.3.1-1.fc39

Python library for building OAuth and OpenID Connect servers. JWS, JWK, JWA, JWT are included...

Fedora: Security Advisory (FEDORA-2024-7cc9a030d9)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 40 Update: python-authlib-1.3.1-1.fc40

Python library for building OAuth and OpenID Connect servers. JWS, JWK, JWA, JWT are included...

Null pointer dereference

jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...

CVE-2024-21664 Parsing JSON serialized payload without protected field can lead to segfault

jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...

lestrrat-go/jwx's malicious parameters in JWE can cause a DOS

Summary too high p2c parameter in JWE's alg PBES2- could lead to a DOS attack Details The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c PBES2 Count. This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary...

CVE-2023-49290

lestrrat-go/jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. A p2c parameter set too high in JWE's algorithm PBES2- could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c...

jwa-byg.dk Cross Site Scripting vulnerability OBB-2923946

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

CVE-2022-36083

JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named p2c PBES2 Count, which determine...

CVE-2022-36083

CVE-2022-36083 affects the Node.js jose module (JWA/JWS/JWE/JWT/JWK/JWKS) used in multiple runtimes. The issue arises from a JOSE Header parameter p2c (PBES2 count) that controls PBKDF2 iterations for deriving the CEK. A malicious untrusted JWE could specify an extremely high p2c, causing CPU-bou...

[SECURITY] Fedora 32 Update: python-authlib-0.14.3-1.fc32

Python library for building OAuth and OpenID Connect servers. JWS, JWK, JWA, JWT are included...

Fedora: Security Advisory for python-authlib (FEDORA-2020-b90dac7fc4)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Multiple cryptographic issues in Python oic

Impact Client implementations using this library Issues 1 The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. 2 JWA none algorithm was allowed in all flows. 3 oic.consumer.Consumer.parseauthz returns an unverified IdToken. Th...

GHSA-4FJV-PMHG-3RFG Multiple cryptographic issues in Python oic

Impact Client implementations using this library Issues 1 The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. 2 JWA none algorithm was allowed in all flows. 3 oic.consumer.Consumer.parseauthz returns an unverified IdToken. Th...

Cipher Downgrade Attack

oic is vulnerable to cipher downgrade attacks. The vulnerability exists as the IdToken signature algorithm is not checked automatically, and that the JWA none algorithm is always allowed, and that the IdToken returned from oic.consumer.Consumer.parseauthz is not verified, and the iat claim is not...

PYSEC-2020-69

Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1 The IdToken signature algorithm was not checked automatically, but only if the expected...

Design/Logic Flaw

Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1 The IdToken signature algorithm was not checked automatically, but only if the expected...