Lucene search

K
vulnrichmentMitreVULNRICHMENT:CVE-2024-37568
HistoryJun 09, 2024 - 12:00 a.m.

CVE-2024-37568

2024-06-0900:00:00
mitre
github.com
4
lepture authlib
algorithm confusion
asymmetric public key

AI Score

6.6

Confidence

Low

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

partial

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:lepture:authlib:*:*:*:*:*:*:*:*"
    ],
    "vendor": "lepture",
    "product": "authlib",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.3.1",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

AI Score

6.6

Confidence

Low

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

partial