Fluid Attacks Database

Description

python-jose algorithm confusion with OpenSSH ECDSA keys python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python-jose	=3.3.0+dfsg-4 \|\| =3.3.0+dfsg-5	-
pypi	python-jose	>=0 <3.4.0	3.4.0

Aliases

1. CVE-2024-336632. NVD-2024-336633. OSV-DEBIAN-2024-336634. OSV-2024-336635. GCVE-2024-336636. SECURITY-TRACKER-CVE-2024-33663

References

1. https://github.com/mpdavis/python-jose/issues/3462. https://github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2024-232.yaml3. https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.