CVE-2024-53861

pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 2.2 LOW

2.2^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.7 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366
https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm

Configurations

No configuration.

History

No history.

Information

Published : 2024-11-29 19:15

Updated : 2024-12-02 19:15

NVD link : CVE-2024-53861

Mitre link : CVE-2024-53861

CVE.ORG link : CVE-2024-53861

JSON object : View

Products Affected

No product.

CWE

CWE-697

Incorrect Comparison

{"id": "CVE-2024-53861", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 0.7}]}, "published": "2024-11-29T19:15:09.433", "references": [{"url": "https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366", "source": "security-advisories@github.com"}, {"url": "https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1", "source": "security-advisories@github.com"}, {"url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-697"}]}], "descriptions": [{"lang": "en", "value": "pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `\"acb\"` being accepted for `\"_abc_\"`. This is a bug introduced in version 2.10.0: checking the \"iss\" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if \"abc\" not in \"__abcd__\":` being checked instead of `if \"abc\" != \"__abc__\":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "pyjwt es una implementaci\u00f3n de JSON Web Token en Python. Se ejecuta una comparaci\u00f3n de cadena incorrecta para la comprobaci\u00f3n de `iss`, lo que da como resultado que `\"acb\"` se acepte en lugar de `\"_abc_\"`. Este es un error introducido en la versi\u00f3n 2.10.0: la comprobaci\u00f3n de la reclamaci\u00f3n \"iss\" cambi\u00f3 de `isinstance(issuer, list)` a `isinstance(issuer, Sequence)`. Dado que str es una secuencia, pero no una lista, `in` tambi\u00e9n se utiliza para la comparaci\u00f3n de cadenas. Esto da como resultado que se compruebe `if \"abc\" not in \"__abcd__\":` en lugar de `if \"abc\" != \"__abc__\":`. Las comprobaciones de firma a\u00fan est\u00e1n presentes, por lo que es probable que el impacto en el mundo real se limite a escenarios de denegaci\u00f3n de servicio. Este problema se ha corregido en la versi\u00f3n 2.10.1. Se recomienda a todos los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad."}], "lastModified": "2024-12-02T19:15:12.150", "sourceIdentifier": "security-advisories@github.com"}