Lucene search
K

283 matches found

OpenVAS
OpenVAS
added 2017/09/18 12:0 a.m.15 views

Debian: Security Advisory (DSA-3979-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

7.5CVSS7.5AI score0.01804EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2017/08/31 12:0 a.m.22 views

Ubuntu 16.04 LTS : PyJWT vulnerability (USN-3407-1)

The remote Ubuntu 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3407-1 advisory. It was discovered that a vulnerability in PyJWT doesn't check invalidstrings properly for some public keys. A remote attacker could take advantage of a key...

7.5CVSS7.5AI score0.01804EPSS
Exploits0References2
OSV
OSV
added 2017/08/30 6:52 p.m.5 views

USN-3407-1 pyjwt vulnerability

It was discovered that a vulnerability in PyJWT doesn't check invalidstrings properly for some public keys. A remote attacker could take advantage of a key confusion to craft JWTs from scratch...

7.5CVSS7.1AI score0.01804EPSS
Exploits0References2
Ubuntu
Ubuntu
added 2017/08/30 6:52 p.m.61 views

USN-3407-1: PyJWT vulnerability

It was discovered that a vulnerability in PyJWT doesn't check invalidstrings properly for some public keys. A remote attacker could take advantage of a key confusion to craft JWTs from scratch...

7.5CVSS7.4AI score0.01804EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2017/08/25 8:48 a.m.35 views

CVE-2017-11424

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

7.5CVSS3.7AI score0.01804EPSS
Exploits0References1
NVD
NVD
added 2017/08/24 4:29 p.m.20 views

CVE-2017-11424

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

7.5CVSS7.3AI score0.01804EPSS
Exploits0References2
PyPA
PyPA
added 2017/08/24 4:29 p.m.7 views

PYSEC-2017-24

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

7.5CVSS6.9AI score0.01804EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2017/08/24 4:29 p.m.1 views

DEBIAN-CVE-2017-11424

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

7.5CVSS6.9AI score0.01804EPSS
Exploits0References1
OSV
OSV
added 2017/08/24 4:29 p.m.18 views

CVE-2017-11424

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

7.5CVSS7.4AI score
Exploits0References2
Prion
Prion
added 2017/08/24 4:29 p.m.22 views

Type confusion

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

5CVSS7.3AI score0.01804EPSS
Exploits0References2Affected Software2
CVE
CVE
added 2017/08/24 4:0 p.m.152 views

CVE-2017-11424

CVE-2017-11424 affects PyJWT 1.5.0 and earlier, where the invalid_strings check in HMACAlgorithm.prepare_key fails to account for all PEM public-key formats (notably PKCS1 PEM prefixed with -----BEGIN RSA PUBLIC KEY-----), enabling key confusion attacks that could let an attacker craft JWTs from ...

7.5CVSS7.2AI score0.01804EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2017/08/24 4:0 p.m.35 views

CVE-2017-11424

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

7.3AI score0.01804EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2017/08/24 4:0 p.m.70 views

CVE-2017-11424

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

7.5CVSS7.4AI score0.01804EPSS
Exploits0
UbuntuCve
UbuntuCve
added 2017/08/24 12:0 a.m.37 views

CVE-2017-11424

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

7.5CVSS7.1AI score0.01804EPSS
Exploits0References2
Veracode
Veracode
added 2017/08/16 10:26 p.m.27 views

Key Confusion Attacks

PyJWT is vulnerable to asymmetric/symmetric key confusion attacks. PKCS1 PEM keys that begin with -----BEGIN RSA PUBLIC KEY----- will not be rejected by the invalidstrings check in HMACAlgorithm.preparekey. Using this flaw, attackers can cause symmetric/asymmetric confusion and create JWTs from...

7.5CVSS7.2AI score0.01804EPSS
Exploits0References3Affected Software1
Tenable Nessus
Tenable Nessus
added 2015/10/02 12:0 a.m.33 views

openSUSE Security Update : python-PyJWT (openSUSE-2015-620)

python-PyJWT was updated to fix unsafe usage of asymmetric keys in combination with HMAC algorithm bsc935544 %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security Update openSUSE-2015-620. The text...

5.4AI score
Exploits0References1
CNVD
CNVD
added 2015/07/12 12:0 a.m.3 views

pyjwt Insecure HMAC Signature Validation Vulnerability

pyjwt is a JSON Web Token implementation in Python. The pyjwt insecure HMAC signature checksum vulnerability allows remote attackers to perform unauthorized operations or obtain sensitive information...

6.8AI score
Exploits0References1
securityvulns
securityvulns
added 2015/07/05 12:0 a.m.87 views

[SECURITY] [DSA 3293-1] pyjwt security update

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3293-1 [email protected] https://www.debian.org/security/ Alessandro Ghedini June 20, 2015 https://www.debian.org/security/faq -...

1.6AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2015/06/22 12:0 a.m.15 views

Debian DSA-3293-1 : pyjwt - security update

Tim McLean discovered that pyjwt, a Python implementation of JSON Web Token, would try to verify an HMAC signature using an RSA or ECDSA public key as secret. This could allow remote attackers to trick applications expecting tokens signed with asymmetric keys, into accepting arbitrary tokens. For...

5.7AI score
Exploits0References4
Debian
Debian
added 2015/06/20 1:37 p.m.15 views

[SECURITY] [DSA 3293-1] pyjwt security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3293-1 [email protected] https://www.debian.org/security/ Alessandro Ghedini June 20, 2015 https://www.debian.org/security/faq -...

6.9AI score
Exploits0
Rows per page
Query Builder