Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-39227: FIX VULNERABILITY · davedoesdev/python-jwt@88ad9e6

python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user’s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

CVE
Open in Source
#vulnerability#web#js#git#auth

@@ -1,5 +1,5 @@ <?xml version="1.0" ?> <coverage version="6.4.1" timestamp="1656832390379" lines-valid="88" lines-covered="88" line-rate="1" branches-valid="58" branches-covered="58" branch-rate="1" complexity="0"> <coverage version="6.4.1" timestamp="1661973013420" lines-valid="96" lines-covered="96" line-rate="1" branches-valid="60" branches-covered="60" branch-rate="1" complexity="0"> <!-- Generated by coverage.py: https://coverage.readthedocs.io --> <!-- Based on https://raw.githubusercontent.com/cobertura/web/master/htdocs/xml/coverage-04.dtd --> <sources> @@ -16,89 +16,97 @@ <line number="7" hits="1"/> <line number="8" hits="1"/> <line number="9" hits="1"/> <line number="12" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="15” hits="1"/> <line number="17" hits="1"/> <line number="59" hits="1"/> <line number="64" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="65” hits="1"/> <line number="66" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="67” hits="1"/> <line number="10" hits="1"/> <line number="13" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="16” hits="1"/> <line number="18" hits="1"/> <line number="60" hits="1"/> <line number="65" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="66” hits="1"/> <line number="67" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="68” hits="1"/> <line number="70" hits="1"/> <line number="72" hits="1"/> <line number="74" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="75” hits="1"/> <line number="77" hits="1"/> <line number="69" hits="1"/> <line number="71" hits="1"/> <line number="73" hits="1"/> <line number="75" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="76” hits="1"/> <line number="78" hits="1"/> <line number="80" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="81” hits="1"/> <line number="82" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="83” hits="1"/> <line number="85" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="86” hits="1"/> <line number="88" hits="1"/> <line number="79" hits="1"/> <line number="81" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="82” hits="1"/> <line number="83" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="84” hits="1"/> <line number="86" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="87” hits="1"/> <line number="89" hits="1"/> <line number="90" hits="1"/> <line number="91" hits="1"/> <line number="93" hits="1"/> <line number="101" hits="1"/> <line number="142" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="143” hits="1"/> <line number="145" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="147” hits="1"/> <line number="149" hits="1"/> <line number="151" hits="1"/> <line number="92" hits="1"/> <line number="94" hits="1"/> <line number="102" hits="1"/> <line number="103" hits="1"/> <line number="104" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="105” hits="1"/> <line number="107" hits="1"/> <line number="150" hits="1"/> <line number="152" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="153” hits="1"/> <line number="154" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="155” hits="1"/> <line number="156" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="155” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="157” hits="1"/> <line number="159" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="160” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="161” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="162” hits="1"/> <line number="163" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="164” hits="1"/> <line number="159" hits="1"/> <line number="161" hits="1"/> <line number="163" hits="1"/> <line number="164" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="165” hits="1"/> <line number="166" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="167” hits="1"/> <line number="168" hits="1"/> <line number="169" hits="1"/> <line number="169" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="170” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="171” hits="1"/> <line number="173" hits="1"/> <line number="175" hits="1"/> <line number="176" hits="1"/> <line number="171" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="172” hits="1"/> <line number="173" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="174” hits="1"/> <line number="176" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="177” hits="1"/> <line number="178" hits="1"/> <line number="179" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="180” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="181” hits="1"/> <line number="182" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="183” hits="1"/> <line number="185" hits="1"/> <line number="186" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="187” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="188” hits="1"/> <line number="189" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="190” hits="1"/> <line number="179" hits="1"/> <line number="180" hits="1"/> <line number="181" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="182” hits="1"/> <line number="184" hits="1"/> <line number="186" hits="1"/> <line number="187" hits="1"/> <line number="189" hits="1"/> <line number="190" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="191” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="192” hits="1"/> <line number="193" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="194” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="195” hits="1"/> <line number="196" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="197” hits="1"/> <line number="194" hits="1"/> <line number="196" hits="1"/> <line number="197" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="198” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="199” hits="1"/> <line number="200" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="201” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="202” hits="1"/> <line number="203" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="204” hits="1"/> <line number="201" hits="1"/> <line number="203" hits="1"/> <line number="204" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="205” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="206” hits="1"/> <line number="207" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="208” hits="1"/> <line number="210" hits="1"/> <line number="222" hits="1"/> <line number="223" hits="1"/> <line number="224" hits="1"/> <line number="225" hits="1"/> <line number="211" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="212” hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="213” hits="1"/> <line number="214" hits="1" branch="true" condition-coverage="100% (2/2)“/> <line number="215” hits="1"/> <line number="217" hits="1"/> <line number="221" hits="1"/> <line number="233" hits="1"/> <line number="234" hits="1"/> <line number="235" hits="1"/> <line number="236" hits="1"/> <line number="237" hits="1"/> </lines> </class> </classes>

Related news

GHSA-5p8v-58qm-c7fp: python-jwt vulnerable to token forgery with new claims

### Impact An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. ### Patches Users should upgrade to version 3.3.4 Fixed by: https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9 ### Workarounds None ### References Found by [Tom Tervoort]([email protected]) https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml ### More information The vulnerability allows an attacker, who possesses a single valid JWT, to create a new token with forged claims that the verify_jwt function will accept as valid. The issue is caused by an inconsistency between the JWT parsers used by python-jwt and its dependency jwcrypto. By mixing compact and JSON representations, an attacker can trick jwcrypto of parsing different claims than tho...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE