—

PYSEC-2017-24

상세

In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / pyjwt

최초 영향 버전: 0 수정 버전: 1.5.1

수정 pip install --upgrade 'pyjwt>=1.5.1'

참고

https://github.com/jpadilla/pyjwt/pull/277 [WEB]
http://www.debian.org/security/2017/dsa-3979 [ADVISORY]
https://github.com/advisories/GHSA-r9jw-mwhq-wp62 [ADVISORY]