Name of the Vulnerable Software and Affected Versions: vng-api-common versions prior to 1.12.2

Description: This issue is related to a privilege escalation vulnerability, although its impact is negligible and entirely theoretical. It involves the verification of client-supplied JSON Web Tokens (JWTs) and how the PyJWT library handles user-supplied algorithms. The vulnerability could potentially allow an attacker to tamper with client JWTs, resulting in privilege escalation and impersonation of any client without leaving a trace. However, due to the use of an explicit allow-list of known algorithms in the PyJWT library, user-supplied invalid algorithms are rejected, making this vulnerability non-exploitable.

Recommendations: For versions prior to 1.12.2, update to version 1.12.2 to resolve the issue. As a temporary workaround, consider checking that the used PyJWT has no algorithms specified with a name in "", "HS25", "HS2", "HS", "H", or ensure that those algorithms are acceptable.