CVE-2022-29217 — Use of a Broken or Risky Cryptographic Algorithm in Project Pyjwt

CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-284 — Improper Access Control CWE-347 — Improper Verification of Cryptographic Signature21 documents9 sources

Severity

7.5HIGHNVD

NVD6.5

EPSS

0.3%

top 45.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyjwt Project Pyjwt Authlib Python-jose Project Python-jose +11 more

Timeline

PublishedMay 24

Latest updateSep 3

Description

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has t…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages17 packages

▶debiandebian/pyjwt< pyjwt 2.4.0-1 (bookworm)

▶NVDpyjwt_project/pyjwt1.5.0 — 2.4.0

▶PyPIpyjwt_project/pyjwt1.5.0 — 2.4.0

▶Debianpyjwt_project/pyjwt< 2.4.0-1+2

▶debiandebian/python-authlib< python-authlib 0.15.4-1+deb11u1 (bullseye)

Also affects: Fedora 35, 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-37568: lepture Authlib before 1↗2024-06-09

▶

OSV

Authlib has algorithm confusion with asymmetric public keys↗2024-06-09

▶

GHSA

Authlib has algorithm confusion with asymmetric public keys↗2024-06-09

▶

OSV

CVE-2024-33663: python-jose through 3↗2024-04-26

▶

OSV

python-jose algorithm confusion with OpenSSH ECDSA keys↗2024-04-26

▶

📋Vendor Advisories

Red Hat

python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats↗2024-04-26

▶

Palo Alto

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-02-14

▶

Debian

CVE-2024-33663: python-jose - python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and ot...↗2024

▶

Debian

CVE-2024-37568: python-authlib - lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys...↗2024

▶

Ubuntu

PyJWT vulnerability↗2022-07-20

▶

📄Research Papers

arXiv

VulnRepairEval: An Exploit-Based Evaluation Framework for Assessing Large Language Model Vulnerability Repair Capabilities↗2025-09-03

▶