GHSA-75c5-xw7c-p5pm
PyJWT Issuer field partial matches allowed
상세
### Summary The wrong string if check is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`.
### Details This is a bug introduced in version [2.10.0](https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366): checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`.
```diff - if isinstance(issuer, list): + if isinstance(issuer, Sequence): if payload["iss"] not in issuer: raise InvalidIssuerError("Invalid issuer") else: ```
Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. ### PoC Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm ```python issuer = "urn:expected"
payload = {"iss": "urn:"}
token = jwt.encode(payload, "secret")
# decode() succeeds, even though `"urn:" != "urn:expected". No exception is raised. with pytest.raises(InvalidIssuerError): jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"]) ```
### Impact
I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-53861 [ADVISORY]
- https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366 [WEB]
- https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1 [WEB]
- https://github.com/jpadilla/pyjwt [PACKAGE]