Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.1
CVSSv3

CVE-2022-39227

Published: 23/09/2022 Updated: 04/03/2023
CVSS v3 Base Score: 9.1 | Impact Score: 5.2 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Python-jwt

Vulnerability Summary

python-jwt is a module for generating and verifying JSON Web Tokens. Versions before 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the malicious user to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

python-jwt project python-jwt

Vendor Advisories

Red Hat:
Description The MITRE CVE dictionary describes this issue as: python-jwt is a module for generating and verifying JSON Web Tokens Versions prior to 334 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass An attacker who obtains a JWT can arbitrarily forge its content ...

Github Repositories

https://github.com/NoSpaceAvailable/CVE-2022-39227

A working POC found while doing a HTB challenge. Original: https://github.com/user0x1337/CVE-2022-39227

This repo belongs to githubcom/user0x1337/CVE-2022-39227 I just copy it

https://github.com/davedoesdev/python-jwt

Python module for generating and verifying JSON Web Tokens

python-jwt    Module for generating and verifying JSON Web Tokens All versions of python-jwt are now DEPRECATED I don't have the time to maintain this module Note: Versions 334 and later fix a vulnerability (CVE-2022-39227) in JSON Web Token verification which lets an attacker with a valid token re-use its signature with modified claims

https://github.com/user0x1337/CVE-2022-39227

CVE-2022-39227 : Proof of Concept

CVE-2022-39227 CVE-2022-39227 : Proof of Concept Proof of concept for the CVE-2022-39227 According to this CVE, there is a flaw in the JSON Web Token verification It is possible with a valid token to re-use its signature with modified claims Required: A valid JWT Web Token The backend need to use the python library "python-jwt" in the version < 334 For

References

CWE-290https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fphttps://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yamlhttps://nvd.nist.govhttps://github.com/NoSpaceAvailable/CVE-2022-39227https://access.redhat.com/security/cve/cve-2022-39227
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-2907hardcodedinjectCVE-2024-20359CVE-2024-2467CVE-2024-4077CVE-2024-22391cameraCVE-2024-20353
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook