Lucene search
K

10 matches found

redhat
redhat
added 2026/05/13 3:29 p.m.6 views

pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

7.5CVSS6.6AI score0.00269EPSS
Exploits1References5
debiancve
debiancve
added 2026/03/12 9:41 p.m.8 views

CVE-2026-32597

PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting...

7.5CVSS7.2AI score0.00269EPSS
Exploits1
cnnvd
cnnvd
added 2026/03/12 12:0 a.m.7 views

pyjwt 安全漏洞

pyjwt is a Python library developed by José Padilla from the United States. It allows for the encoding and decoding of JSON Web Tokens JWTs. pyjwt has security vulnerabilities, stemming from the lack of validation for the crit header parameter. This vulnerability may allow the acceptance of JWS...

7.5CVSS6.7AI score0.00269EPSS
Exploits1References3
euvd
euvd
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-0707

Malware in sbrugna...

5.9CVSS5.9AI score0.02053EPSS
Exploits0References10
kitploit
kitploit
added 2022/06/29 12:30 p.m.37 views

Jwtear - Modular Command-Line Tool To Parse, Create And Manipulate JWT Tokens For Hackers

A modular command-line tool to parse, create and manipulate JSON Web TokenJWT tokens for security testing purposes. Features Complete modularity. All commands are plugins. Easy to add new plugins. Support JWS and JWE tokens. Easy interface for plugins. follow the template example Flexible token...

7.5AI score
Exploits0References4
osv
osv
added 2018/10/18 4:47 p.m.24 views

GHSA-W6GV-3R3V-GWGJ keycloak-core vulnerable to timing attacks against JWS token verification

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks...

5.9CVSS6AI score0.02053EPSS
Exploits0References8
github
github
added 2018/10/18 4:47 p.m.37 views

keycloak-core vulnerable to timing attacks against JWS token verification

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks...

5.9CVSS5.9AI score0.02053EPSS
Exploits0References8Affected Software1
osv
osv
added 2018/03/12 3:29 p.m.22 views

CVE-2017-2585

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks...

5.9CVSS6AI score
Exploits0References6
cve
cve
added 2018/03/12 3:0 p.m.118 views

CVE-2017-2585

CVE-2017-2585 affects Red Hat Keycloak before version 2.5.1, where JWS token HMAC verification is implemented in non-constant time, potentially enabling timing attacks. Documents across OSV/GHSA/NVD reiterate this exact flaw for Keycloak; no explicit exploit details or affected version ranges bey...

5.9CVSS5.8AI score0.02053EPSS
Exploits0References6Affected Software1
veracode
veracode
added 2017/04/05 6:18 a.m.28 views

Timing Attacks

keycloak-core is vulnerable to timing attacks. The vulnerability is possible because the HMAC signature comparison algorithm used by its JWS token code is not performed in constant time. Therefore, an attacker can trigger a timing attack through the JWS tokens...

5.9CVSS6.4AI score0.02053EPSS
Exploits0References3Affected Software3
Rows per page
Query Builder