CVE-2017-11424

Name of the Vulnerable Software and Affected Versions PyJWT versions 1.5.0 and below

Description The issue concerns a symmetric/asymmetric key confusion attack. In PyJWT, the invalid strings check in HMACAlgorithm.prepare key does not account for all PEM encoded public keys, specifically the PKCS1 PEM encoded format. This allows an attacker to craft JWTs from scratch when using the PKCS1 PEM encoded public keys.

Recommendations For PyJWT versions 1.5.0 and below, consider updating to a version above 1.5.0 to resolve the issue. As a temporary workaround, restrict the use of PKCS1 PEM encoded public keys to minimize the risk of exploitation. Avoid using the HMACAlgorithm.prepare key function with PKCS1 PEM encoded public keys until the issue is resolved.