Fluid Attacks Database

Description

Authlib has algorithm confusion with asymmetric public keys lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python-authlib	=0.15.4-1 \|\| >=0 <0.15.4-1+deb11u1	0.15.4-1+deb11u1
debian 12	python-authlib	=1.2.0-1 \|\| >=0 <1.2.0-1+deb12u1	1.2.0-1+deb12u1
debian 13	python-authlib	>=0 <1.3.1-1	1.3.1-1
debian 14	python-authlib	>=0 <1.3.1-1	1.3.1-1
pypi	authlib	>=0 <1.3.1	1.3.1

Aliases

1. CVE-2024-375682. NVD-2024-375683. OSV-DEBIAN-2024-375684. OSV-2024-375685. GCVE-2024-375686. SECURITY-TRACKER-CVE-2024-375687. lists.debian.org

References

1. https://github.com/lepture/authlib/issues/6542. https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2024-52.yaml3. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHJI32SN4FNAUVNALVGOKWHNSQ6XS3M54. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZI7HYGN7VZAYFV6UV3SRLYF7QGERXIU5. https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-lepture-authlib-cve-2024-37568

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.