CVE-2017-11424

In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.
References
Link Resource
https://github.com/jpadilla/pyjwt/pull/277 Issue Tracking Patch Third Party Advisory
http://www.debian.org/security/2017/dsa-3979 Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Information

Published : 2017-08-24 09:29

Updated : 2019-10-02 17:03


NVD link : CVE-2017-11424

Mitre link : CVE-2017-11424


JSON object : View

Advertisement

dedicated server usa

Products Affected

debian

  • debian_linux

pyjwt_project

  • pyjwt