Bug 2129744 (CVE-2022-39227) - CVE-2022-39227 python-jwt: token forgery with new claims
Summary: CVE-2022-39227 python-jwt: token forgery with new claims
Keywords:
Status: NEW
Alias: CVE-2022-39227
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2129745 2132810 2132811 2132812 2258833
Blocks: 2129746
TreeView+ depends on / blocked
 
Reported: 2022-09-26 08:45 UTC by TEJ RATHI
Modified: 2024-01-17 16:17 UTC (History)
20 users (show)

Fixed In Version: python-jwt 3.3.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-jwt, where it was subject to Authentication Bypass vulnerability by spoofing, resulting in identity spoofing, session hijacking, or authentication bypass. This flaw allows an attacker who obtains a JWT to arbitrarily forge its contents without knowing the secret key. Depending on the application, the attacker can spoof other users' identities, hijack their sessions, or bypass authentication.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description TEJ RATHI 2022-09-26 08:45:41 UTC 
python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9
https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp
https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml
Comment 1 TEJ RATHI 2022-09-26 08:46:03 UTC 
Created python-jwt tracking bugs for this issue:

Affects: fedora-all [bug 2129745]
Comment 4 Sandipan Roy 2022-10-07 13:11:31 UTC 
python-jwt upstream is not the same as our python-jwt. Our python-jwt usages PyJWT(Upstream).
Note You need to log in before you can comment on or make changes to this bug.