Bug 2291129 (CVE-2024-37568) - CVE-2024-37568 python-authlib: Algorithm confusion when verifying JSON Web Tokens with asymmetric public keys
Summary: CVE-2024-37568 python-authlib: Algorithm confusion when verifying JSON Web To...
Keywords:
Status: NEW
Alias: CVE-2024-37568
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2291130
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-06-10 07:30 UTC by Mauro Matteo Cascella
Modified: 2024-06-10 07:32 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2024-06-10 07:30:33 UTC
NVD description: lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663).

Upstream issue:
https://github.com/lepture/authlib/issues/654

Comment 1 Mauro Matteo Cascella 2024-06-10 07:30:47 UTC
Created python-authlib tracking bugs for this issue:

Affects: fedora-all [bug 2291130]


Note You need to log in before you can comment on or make changes to this bug.