CVE-2024-37568

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions lepture Authlib versions prior to 1.3.1

Description The issue concerns algorithm confusion with asymmetric public keys in lepture Authlib. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key.

Recommendations For versions prior to 1.3.1, update to version 1.3.1 or later to resolve the issue. As a temporary workaround, consider specifying an algorithm in jwt.decode calls to prevent HMAC verification with arbitrary asymmetric public keys.

Exploit

Fix

Improper Verification of Cryptographic Signature

Improper Access Control

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347CWE-284CWE-327

Related Identifiers

CVE-2024-37568

DLA-4352-1

GHSA-5357-C2JX-V7QH

MGASA-2024-0238

OPENSUSE-SU-2024:14035-1

OPENSUSE-SU-2024_2064-1

PYSEC-2024-52

SUSE-SU-2024:2064-1

USN-8065-1

Affected Products

Debian

Linuxmint

Suse

Ubuntu

Lepture Authlib

CVE-2024-37568

Weakness Enumeration

Related Identifiers

Affected Products

References · 40