[Python-modules-team] Bug#873244: pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys
Salvatore Bonaccorso
carnil at debian.org
Fri Aug 25 18:59:33 UTC 2017
Source: pyjwt
Version: 1.4.2-1
Severity: important
Tags: security patch upstream
Forwarded: https://github.com/jpadilla/pyjwt/pull/277
Control: found -1 0.2.1-1+deb8u1
Hi,
the following vulnerability was published for pyjwt.
CVE-2017-11424[0]:
| In PyJWT 1.5.0 and below the `invalid_strings` check in
| `HMACAlgorithm.prepare_key` does not account for all PEM encoded
| public keys. Specifically, the PKCS1 PEM encoded format would be
| allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC
| KEY-----` which is not accounted for. This enables
| symmetric/asymmetric key confusion attacks against users using the
| PKCS1 PEM encoded public keys, which would allow an attacker to craft
| JWTs from scratch.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11424
Please adjust the affected versions in the BTS as needed. I think this
should be present as well in 0.2.1-1+deb8u1.
Regards,
Salvatore
More information about the Python-modules-team
mailing list