283 matches found
Debian: Security Advisory (DSA-3979-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Ubuntu 16.04 LTS : PyJWT vulnerability (USN-3407-1)
The remote Ubuntu 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3407-1 advisory. It was discovered that a vulnerability in PyJWT doesn't check invalidstrings properly for some public keys. A remote attacker could take advantage of a key...
USN-3407-1 pyjwt vulnerability
It was discovered that a vulnerability in PyJWT doesn't check invalidstrings properly for some public keys. A remote attacker could take advantage of a key confusion to craft JWTs from scratch...
USN-3407-1: PyJWT vulnerability
It was discovered that a vulnerability in PyJWT doesn't check invalidstrings properly for some public keys. A remote attacker could take advantage of a key confusion to craft JWTs from scratch...
CVE-2017-11424
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
CVE-2017-11424
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
PYSEC-2017-24
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
DEBIAN-CVE-2017-11424
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
CVE-2017-11424
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
Type confusion
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
CVE-2017-11424
CVE-2017-11424 affects PyJWT 1.5.0 and earlier, where the invalid_strings check in HMACAlgorithm.prepare_key fails to account for all PEM public-key formats (notably PKCS1 PEM prefixed with -----BEGIN RSA PUBLIC KEY-----), enabling key confusion attacks that could let an attacker craft JWTs from ...
CVE-2017-11424
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
CVE-2017-11424
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
CVE-2017-11424
In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...
Key Confusion Attacks
PyJWT is vulnerable to asymmetric/symmetric key confusion attacks. PKCS1 PEM keys that begin with -----BEGIN RSA PUBLIC KEY----- will not be rejected by the invalidstrings check in HMACAlgorithm.preparekey. Using this flaw, attackers can cause symmetric/asymmetric confusion and create JWTs from...
openSUSE Security Update : python-PyJWT (openSUSE-2015-620)
python-PyJWT was updated to fix unsafe usage of asymmetric keys in combination with HMAC algorithm bsc935544 %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security Update openSUSE-2015-620. The text...
pyjwt Insecure HMAC Signature Validation Vulnerability
pyjwt is a JSON Web Token implementation in Python. The pyjwt insecure HMAC signature checksum vulnerability allows remote attackers to perform unauthorized operations or obtain sensitive information...
[SECURITY] [DSA 3293-1] pyjwt security update
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3293-1 [email protected] https://www.debian.org/security/ Alessandro Ghedini June 20, 2015 https://www.debian.org/security/faq -...
Debian DSA-3293-1 : pyjwt - security update
Tim McLean discovered that pyjwt, a Python implementation of JSON Web Token, would try to verify an HMAC signature using an RSA or ECDSA public key as secret. This could allow remote attackers to trick applications expecting tokens signed with asymmetric keys, into accepting arbitrary tokens. For...
[SECURITY] [DSA 3293-1] pyjwt security update
------------------------------------------------------------------------- Debian Security Advisory DSA-3293-1 [email protected] https://www.debian.org/security/ Alessandro Ghedini June 20, 2015 https://www.debian.org/security/faq -...