PT-2017-12006 · Python+1 · Pyjwt+1

Jpadilla

Published

2017-08-24

Updated

2022-05-13

CVE-2017-11424

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions PyJWT versions 1.5.0 and below

Description The issue concerns a symmetric/asymmetric key confusion attack. In PyJWT, the invalid strings check in HMACAlgorithm.prepare key does not account for all PEM encoded public keys, specifically the PKCS1 PEM encoded format. This allows an attacker to craft JWTs from scratch when using the PKCS1 PEM encoded public keys.

Recommendations For PyJWT versions 1.5.0 and below, consider updating to a version above 1.5.0 to resolve the issue. As a temporary workaround, restrict the use of PKCS1 PEM encoded public keys to minimize the risk of exploitation. Avoid using the HMACAlgorithm.prepare key function with PKCS1 PEM encoded public keys until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2017-11424

DSA-3979-1

GHSA-R9JW-MWHQ-WP62

PYSEC-2017-24

USN-3407-1

Affected Products

Pyjwt

Ubuntu

PT-2017-12006 · Python+1 · Pyjwt+1

CVE-2017-11424

Related Identifiers

Affected Products

References · 17