Veracode Vulnerability DatabaseVERACODE:47480Authentication Bypass
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.3 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
22.1%
authlib is vulnerable to Authentication Bypass The vulnerability is due to allowing HMAC verification with any asymmetric public key in jwt.decode calls without specifying an algorithm, which attackers can exploit to bypass authentication checks.
References
github.com/advisories/GHSA-5357-c2jx-v7qh
github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1
github.com/lepture/authlib/issues/654
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU/
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.3 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
22.1%