DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2024-53861

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-53861

CGA ID

CGA-22hm-4r66-wr76

Severity

2.2

Low

CVSS V3

Summary

PyJWT Issuer field partial matches allowed

Description

Summary

The wrong string if check is run for iss checking, resulting in "acb" being accepted for "_abc_".

Details

This is a bug introduced in version 2.10.0: checking the "iss" claim changed from isinstance(issuer, list) to isinstance(issuer, Sequence).

-        if isinstance(issuer, list):
+        if isinstance(issuer, Sequence):
            if payload["iss"] not in issuer:
                raise InvalidIssuerError("Invalid issuer")
        else:

Since str is a Sequnce, but not a list, in is also used for string comparison. This results in if "abc" not in "__abcd__": being checked instead of if "abc" != "__abc__":.

PoC

Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm

        issuer = "urn:expected"

        payload = {"iss": "urn:"}

        token = jwt.encode(payload, "secret")

        # decode() succeeds, even though `"urn:" != "urn:expected". No exception is raised.
        with pytest.raises(InvalidIssuerError):
            jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"])

Impact

I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.

References

Affected packages


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images