CVE-2020-26244

CVSS v4.0

7.6

High

Vector

AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Python oic versions prior to 1.2.1

Description The issue affects client implementations using the Python oic library, a Python OpenID Connect implementation. There are several related cryptographic issues:

The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg.
JWA none algorithm was allowed in all flows.
oic.consumer.Consumer.parse authz returns an unverified IdToken, with verification left to the implementator's discretion.
The iat claim was not checked for sanity, allowing it to be in the future.

Recommendations For versions prior to 1.2.1, update to version 1.2.1 to resolve the issues. As a temporary workaround, consider disabling the use of the JWA none algorithm in all flows until the update is applied. Restrict access to the oic.consumer.Consumer.parse authz function to minimize the risk of exploitation until the update is applied. Avoid using the iat claim without proper sanity checks until the update is applied.

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-325CWE-347

Related Identifiers

CVE-2020-26244

GHSA-4FJV-PMHG-3RFG

OPENSUSE-SU-2024:11244-1

OPENSUSE-SU-2024:14150-1

PYSEC-2020-69

Affected Products

Python Oic

CVE-2020-26244

Weakness Enumeration

Related Identifiers

Affected Products

References · 15