CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
22.0%
authlib is vulnerable to Authentication Bypass The vulnerability is due to allowing HMAC verification with any asymmetric public key in jwt.decode
calls without specifying an algorithm, which attackers can exploit to bypass authentication checks.
github.com/advisories/GHSA-5357-c2jx-v7qh
github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1
github.com/lepture/authlib/issues/654
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M5/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU/
www.vicarius.io/vsociety/posts/algorithm-confusion-in-lepture-authlib-cve-2024-37568