CVE-2024-53861 – pyjwt

Package

Manager: pip
Name: pyjwt
Vulnerable Version: =2.10.0 || >=2.10.0 <2.10.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00039 pctl0.10937

Details

PyJWT Issuer field partial matches allowed ### Summary The wrong string if check is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. ### Details This is a bug introduced in version [2.10.0](https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366): checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. ```diff - if isinstance(issuer, list): + if isinstance(issuer, Sequence): if payload["iss"] not in issuer: raise InvalidIssuerError("Invalid issuer") else: ``` Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. ### PoC Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm ```python issuer = "urn:expected" payload = {"iss": "urn:"} token = jwt.encode(payload, "secret") # decode() succeeds, even though `"urn:" != "urn:expected". No exception is raised. with pytest.raises(InvalidIssuerError): jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"]) ``` ### Impact I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.

Metadata

Created: 2024-12-02T18:34:11Z
Modified: 2024-12-02T18:34:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-75c5-xw7c-p5pm/GHSA-75c5-xw7c-p5pm.json
CWE IDs: ["CWE-697"]
Alternative ID: GHSA-75c5-xw7c-p5pm
Finding: F184
Auto approve: 1