CVE-2024-33663 — Improper Access Control in Project Python-jose

CWE-284 — Improper Access Control CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-347 — Improper Verification of Cryptographic Signature11 documents5 sources

Severity

7.5HIGHNVD

NVD6.5

EPSS

0.7%

top 28.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Authlib Python-jose Project Python-jose Debian Python-authlib +1 more

Timeline

PublishedApr 26

Latest updateJun 9

Description

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages6 packages

▶PyPIpython-jose_project/python-jose< 3.4.0

▶NVDpython-jose_project/python-jose3.3.0

▶debiandebian/python-jose

▶debiandebian/python-authlib< python-authlib 0.15.4-1+deb11u1 (bullseye)

▶NVDauthlib/authlib< 1.3.1

🔴Vulnerability Details

OSV

CVE-2024-37568: lepture Authlib before 1↗2024-06-09

▶

OSV

Authlib has algorithm confusion with asymmetric public keys↗2024-06-09

▶

GHSA

Authlib has algorithm confusion with asymmetric public keys↗2024-06-09

▶

OSV

CVE-2024-33663: python-jose through 3↗2024-04-26

▶

OSV

python-jose algorithm confusion with OpenSSH ECDSA keys↗2024-04-26

▶

📋Vendor Advisories

Red Hat

python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats↗2024-04-26

▶

Debian

CVE-2024-33663: python-jose - python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and ot...↗2024

▶

Debian

CVE-2024-37568: python-authlib - lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys...↗2024

▶