Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-75c5-xw7c-p5pm: PyJWT Issuer field partial matches allowed

Summary

The wrong string if check is run for iss checking, resulting in "acb" being accepted for "_abc_".

Details

This is a bug introduced in version 2.10.0: checking the “iss” claim changed from isinstance(issuer, list) to isinstance(issuer, Sequence).

-        if isinstance(issuer, list):
+        if isinstance(issuer, Sequence):
            if payload["iss"] not in issuer:
                raise InvalidIssuerError("Invalid issuer")
        else:

Since str is a Sequnce, but not a list, in is also used for string comparison. This results in if "abc" not in "__abcd__": being checked instead of if "abc" != "__abc__":.

PoC

Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm

        issuer = "urn:expected"

        payload = {"iss": "urn:"}

        token = jwt.encode(payload, "secret")

        # decode() succeeds, even though `"urn:" != "urn:expected". No exception is raised.
        with pytest.raises(InvalidIssuerError):
            jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"])

Impact

I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.

ghsa
Open in Source
#git

Summary

The wrong string if check is run for iss checking, resulting in “acb” being accepted for "abc".

Details

This is a bug introduced in version 2.10.0: checking the “iss” claim
changed from isinstance(issuer, list) to isinstance(issuer, Sequence).

- if isinstance(issuer, list):

  •    if isinstance(issuer, Sequence):
      if payload\["iss"\] not in issuer:
          raise InvalidIssuerError("Invalid issuer")
  else:

Since str is a Sequnce, but not a list, in is also used for string
comparison. This results in if “abc” not in "abcd": being
checked instead of if “abc” != "abc":.

PoC

Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm

    issuer \= "urn:expected"

    payload \= {"iss": "urn:"}

    token \= jwt.encode(payload, "secret")

    \# decode() succeeds, even though \`"urn:" != "urn:expected". No exception is raised.
    with pytest.raises(InvalidIssuerError):
        jwt.decode(token, "secret", issuer\=issuer, algorithms\=\["HS256"\])

Impact

I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.

References

  • GHSA-75c5-xw7c-p5pm
  • https://nvd.nist.gov/vuln/detail/CVE-2024-53861
  • jpadilla/pyjwt@1570e70#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366
  • jpadilla/pyjwt@33022c2

ghsa: Latest News

GHSA-c873-wfhp-wx5m: SP1 has missing verifier checks and fiat-shamir observations
ghsa