Metrics
Affected Vendors & Products
Tue, 03 Dec 2024 01:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 02 Dec 2024 18:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
cvssV3_1
|
Mon, 02 Dec 2024 12:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Pyjwt Project
Pyjwt Project pyjwt |
|
CPEs | cpe:2.3:a:pyjwt_project:pyjwt:2.10.0:*:*:*:*:*:*:* | |
Vendors & Products |
Pyjwt Project
Pyjwt Project pyjwt |
|
Metrics |
ssvc
|
Fri, 29 Nov 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |
Title | Issuer field partial matches allowed in pyjwt | |
Weaknesses | CWE-697 | |
References |
|
|
Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-11-29T18:43:07.644Z
Updated: 2024-12-02T18:10:35.507Z
Reserved: 2024-11-22T17:30:02.144Z
Link: CVE-2024-53861
Updated: 2024-12-02T11:12:13.492Z
Status : Awaiting Analysis
Published: 2024-11-29T19:15:09.433
Modified: 2024-12-02T19:15:12.150
Link: CVE-2024-53861