CVE-2022-29217
CVSS V2 Medium 5
CVSS V3 High 7.5
Description
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
Overview
- CVE ID
- CVE-2022-29217
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-05-24T15:15:07
- Last Modified Date
- 2022-06-07T14:40:23
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:* | 1 | OR | 1.5.0 | 2.4.0 |
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* | 1 | OR | ||
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:N/C:N/I:P/A:N
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- NONE
- Integrity Impact
- PARTIAL
- Availability Impact
- NONE
- Base Score
- 5
- Severity
- MEDIUM
- Exploitability Score
- 10
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 7.5
- Base Severity
- HIGH
- Exploitability Score
- 3.9
- Impact Score
- 3.6
References
Reference URL | Reference Tags |
---|---|
https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc | Patch Third Party Advisory |
https://github.com/jpadilla/pyjwt/releases/tag/2.4.0 | Release Notes Third Party Advisory |
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24 | Issue Tracking Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PK7IQCBVNLYJEFTPHBBPFP72H4WUFNX/ | Mailing List Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/ | Mailing List Third Party Advisory |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-29217 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-05-24 16:00:15 | Added to TrackCVE |