Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv3

CVE-2022-29217

Published: 24/05/2022 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Pyjwt

Vulnerability Summary

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

pyjwt project pyjwt

fedoraproject fedora 35

fedoraproject fedora 36

Vendor Advisories

Debian CVElist Bug Report Logs: pyjwt: CVE-2022-29217 - Key confusion through non-blocklisted public key formats
Debian Bug report logs - #1011747 pyjwt: CVE-2022-29217 - Key confusion through non-blocklisted public key formats Package: src:pyjwt; Maintainer for src:pyjwt is Debian Python Team <team+python@trackerdebianorg>; Reported by: Neil Williams <codehelp@debianorg> Date: Thu, 26 May 2022 09:45:01 UTC Severity: importa ...
Debian CVElist Bug Report Logs: python-jose: CVE-2024-33663 CVE-2024-33664
Debian Bug report logs - #1070375 python-jose: CVE-2024-33663 CVE-2024-33664 Package: src:python-jose; Maintainer for src:python-jose is Debian Python Team <team+python@trackerdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Sat, 4 May 2024 16:03:01 UTC Severity: important Tags: security, upstrea ...
Red Hat:
PyJWT is a Python implementation of RFC 7519 PyJWT supports multiple different JWT signing algorithms With JWT, an attacker submitting the JWT token can choose the used signing algorithm The PyJWT library requires that the application chooses what algorithms are supported The application can specify `jwtalgorithmsget_default_algorithms()` to ...
Arch Linux Issues:
Severity Unknown Remote Unknown Type Unknown Description AVG-2781 python-pyjwt 230-1 240-1 Unknown Unknown ...
Amazon Linux 2022: ALAS-2022-241
ALAS-2022-241 Amazon Linux 2022 Security Advisory: ALAS-2022-241 Advisory Release Date: 2022-12-06 16:43 Pacific ...
Palo Alto Networks Security Advisory: PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS ...

References

CWE-327https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fchttps://github.com/jpadilla/pyjwt/releases/tag/2.4.0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PK7IQCBVNLYJEFTPHBBPFP72H4WUFNX/https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011747https://security.paloaltonetworks.com/PAN-SA-2024-0001
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
brute forceCVE-2024-24908open redirectCVE-2024-31497CVE-2023-45866CVE-2024-4135CVE-2024-25523cache poisoningCVE-2024-4649
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook