Emmharnuherl

**Name of the Vulnerable Software and Affected Versions** lepture Authlib versions prior to 1.3.1 **Description** The issue concerns algorithm confusion with asymmetric public keys in lepture Authlib. Unless an algorithm is specified in a `jwt.decode` call, HMAC verification is allowed with any asymmetric public key. **Recommendations** For versions prior to 1.3.1, update to version 1.3.1 or later to resolve the issue. As a temporary workaround, consider specifying an algorithm in `jwt.decode` calls to prevent HMAC verification with arbitrary asymmetric public keys.

**Name of the Vulnerable Software and Affected Versions** python-jose versions 3.3.0 and earlier **Description** The issue is related to algorithm confusion with OpenSSH ECDSA keys and other key formats in the python-jose component. It is associated with the definition of a prefix blacklist for OpenSSH ECDSA public keys. Exploitation of this issue may allow a remote attacker to gain unauthorized access to OpenSSH ECDSA public keys. **Recommendations** For python-jose versions 3.3.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PyJWT versions prior to 2.4.0 **Description** The issue is related to the implementation of JWT in Python PyJWT, where an attacker can exploit the lack of restrictions on certain open key formats. This allows a remote attacker to impact the integrity of data. The PyJWT library supports multiple JWT signing algorithms, and the application must specify which algorithms are supported. If the application uses `jwt.algorithms.get default algorithms()`, it may be vulnerable to attacks. The estimated number of potentially affected devices is not specified. **Recommendations** For versions prior to 2.4.0, upgrade to v2.4.0 to receive a patch for this issue. As a temporary workaround, always be explicit with the algorithms that are accepted and expected when decoding.