logo

Database

Lack of data validation In pyjwt

Description

PyJWT Issuer field partial matches allowed

Summary

The wrong string if check is run for iss checking, resulting in "acb" being accepted for "_abc_".

Details

This is a bug introduced in version 2.10.0: checking the "iss" claim changed from isinstance(issuer, list) to isinstance(issuer, Sequence).

-        if isinstance(issuer, list):
+        if isinstance(issuer, Sequence):
            if payload["iss"] not in issuer:
                raise InvalidIssuerError("Invalid issuer")
        else:

Since str is a Sequnce, but not a list, in is also used for string comparison. This results in if "abc" not in "__abcd__": being checked instead of if "abc" != "__abc__":.

PoC

Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm

        issuer = "urn:expected"

        payload = {"iss": "urn:"}

        token = jwt.encode(payload, "secret")

        # decode() succeeds, even though `"urn:" != "urn:expected". No exception is raised.
        with pytest.raises(InvalidIssuerError):...

Impact

I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-538612. NVD-2024-538613. OSV-2024-538614. GHSA-75c5-xw7c-p5pm5. GCVE-2024-53861

References

1. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm2. https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R3663. https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.