CVE-2024-53861 - Vulnerability Details

Vendors	Products
Pyjwt Project	Pyjwt

Link	Providers
https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366
https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm
https://nvd.nist.gov/vuln/detail/CVE-2024-53861
https://www.cve.org/CVERecord?id=CVE-2024-53861

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-53861 https://www.cve.org/CVERecord?id=CVE-2024-53861
Metrics	threat_severity `None`	threat_severity `Low`

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N'}`	cvssV3_1 `{'score': 2.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N'}`

Type	Values Removed	Values Added
First Time appeared		Pyjwt Project Pyjwt Project pyjwt
CPEs		cpe:2.3:a:pyjwt_project:pyjwt:2.10.0:::::::*
Vendors & Products		Pyjwt Project Pyjwt Project pyjwt
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Description		pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Title		Issuer field partial matches allowed in pyjwt
Weaknesses		CWE-697
References		https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366 https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1 https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm
Metrics		cvssV3_1 `{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N'}`

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53861", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-22T17:30:02.144Z", "datePublished": "2024-11-29T18:43:07.644Z", "dateUpdated": "2024-12-02T18:10:35.507Z"}, "containers": {"cna": {"title": "Issuer field partial matches allowed in pyjwt", "problemTypes": [{"descriptions": [{"cweId": "CWE-697", "lang": "en", "description": "CWE-697: Incorrect Comparison", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm"}, {"name": "https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366", "tags": ["x_refsource_MISC"], "url": "https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366"}, {"name": "https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1", "tags": ["x_refsource_MISC"], "url": "https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1"}], "affected": [{"vendor": "jpadilla", "product": "pyjwt", "versions": [{"version": "= 2.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-02T18:10:35.507Z"}, "descriptions": [{"lang": "en", "value": "pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `\"acb\"` being accepted for `\"_abc_\"`. This is a bug introduced in version 2.10.0: checking the \"iss\" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if \"abc\" not in \"__abcd__\":` being checked instead of `if \"abc\" != \"__abc__\":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-75c5-xw7c-p5pm", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "pyjwt_project", "product": "pyjwt", "cpes": ["cpe:2.3:a:pyjwt_project:pyjwt:2.10.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.10.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-02T11:10:51.855024Z", "id": "CVE-2024-53861", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-02T11:12:17.956Z"}}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2024-53861 (string)

assignerOrgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

state : PUBLISHED (string)

assignerShortName : GitHub_M (string)

dateReserved : 2024-11-22T17:30:02.144Z (string)

datePublished : 2024-11-29T18:43:07.644Z (string)

dateUpdated : 2024-12-02T18:10:35.507Z (string)

}

containers : { »

cna : { »

title : Issuer field partial matches allowed in pyjwt (string)

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-697 (string)

lang : en (string)

description : CWE-697: Incorrect Comparison (string)

type : CWE (string)

}

]

}

]

metrics : [ »

0 : { »

cvssV3_1 : { »

attackComplexity : HIGH (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 2.2 (number)

baseSeverity : LOW (string)

confidentialityImpact : NONE (string)

integrityImpact : LOW (string)

privilegesRequired : HIGH (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N (string)

version : 3.1 (string)

}

]

references : [ »

0 : { »

name : https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm (string)

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm (string)

}

1 : { »

name : https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366 (string)

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366 (string)

}

2 : { »

name : https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1 (string)

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1 (string)

}

]

affected : [ »

0 : { »

vendor : jpadilla (string)

product : pyjwt (string)

versions : [ »

0 : { »

version : = 2.10.0 (string)

status : affected (string)

}

]

}

]

providerMetadata : { »

orgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

shortName : GitHub_M (string)

dateUpdated : 2024-12-02T18:10:35.507Z (string)

}

descriptions : [ »

0 : { »

lang : en (string)

value : pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. (string)

}

]

source : { »

advisory : GHSA-75c5-xw7c-p5pm (string)

discovery : UNKNOWN (string)

}

adp : [ »

0 : { »

affected : [ »

0 : { »

vendor : pyjwt_project (string)

product : pyjwt (string)

cpes : [ »

0 : cpe:2.3:a:pyjwt_project:pyjwt:2.10.0:*:*:*:*:*:*:* (string)

]

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 2.10.0 (string)

status : affected (string)

}

]

}

]

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

timestamp : 2024-12-02T11:10:51.855024Z (string)

id : CVE-2024-53861 (string)

options : [ »

0 : { »

Exploitation : poc (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

role : CISA Coordinator (string)

version : 2.0.3 (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-12-02T11:12:17.956Z (string)

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53861", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-02T11:10:51.855024Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:pyjwt_project:pyjwt:2.10.0:*:*:*:*:*:*:*"], "vendor": "pyjwt_project", "product": "pyjwt", "versions": [{"status": "affected", "version": "2.10.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-02T11:12:13.492Z"}}], "cna": {"title": "Issuer field partial matches allowed in pyjwt", "source": {"advisory": "GHSA-75c5-xw7c-p5pm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "jpadilla", "product": "pyjwt", "versions": [{"status": "affected", "version": "= 2.10.0"}]}], "references": [{"url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm", "name": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366", "name": "https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1", "name": "https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `\"acb\"` being accepted for `\"_abc_\"`. This is a bug introduced in version 2.10.0: checking the \"iss\" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if \"abc\" not in \"__abcd__\":` being checked instead of `if \"abc\" != \"__abc__\":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-697", "description": "CWE-697: Incorrect Comparison"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-12-02T18:10:35.507Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53861", "state": "PUBLISHED", "dateUpdated": "2024-12-02T18:10:35.507Z", "dateReserved": "2024-11-22T17:30:02.144Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-29T18:43:07.644Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2024-53861 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : poc (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2024-12-02T11:10:51.855024Z (string)

}

]

affected : [ »

0 : { »

cpes : [ »

0 : cpe:2.3:a:pyjwt_project:pyjwt:2.10.0:*:*:*:*:*:*:* (string)

]

vendor : pyjwt_project (string)

product : pyjwt (string)

versions : [ »

0 : { »

status : affected (string)

version : 2.10.0 (string)

}

]

defaultStatus : unknown (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-12-02T11:12:13.492Z (string)

}

]

cna : { »

title : Issuer field partial matches allowed in pyjwt (string)

source : { »

advisory : GHSA-75c5-xw7c-p5pm (string)

discovery : UNKNOWN (string)

}

metrics : [ »

0 : { »

cvssV3_1 : { »

scope : UNCHANGED (string)

version : 3.1 (string)

baseScore : 2.2 (number)

attackVector : NETWORK (string)

baseSeverity : LOW (string)

vectorString : CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N (string)

integrityImpact : LOW (string)

userInteraction : NONE (string)

attackComplexity : HIGH (string)

availabilityImpact : NONE (string)

privilegesRequired : HIGH (string)

confidentialityImpact : NONE (string)

}

]

affected : [ »

0 : { »

vendor : jpadilla (string)

product : pyjwt (string)

versions : [ »

0 : { »

status : affected (string)

version : = 2.10.0 (string)

}

]

}

]

references : [ »

0 : { »

url : https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm (string)

name : https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm (string)

tags : [ »

0 : x_refsource_CONFIRM (string)

]

}

1 : { »

url : https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366 (string)

name : https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366 (string)

tags : [ »

0 : x_refsource_MISC (string)

]

}

2 : { »

url : https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1 (string)

name : https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1 (string)

tags : [ »

0 : x_refsource_MISC (string)

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

type : CWE (string)

cweId : CWE-697 (string)

description : CWE-697: Incorrect Comparison (string)

}

]

}

]

providerMetadata : { »

orgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

shortName : GitHub_M (string)

dateUpdated : 2024-12-02T18:10:35.507Z (string)

}

cveMetadata : { »

cveId : CVE-2024-53861 (string)

state : PUBLISHED (string)

dateUpdated : 2024-12-02T18:10:35.507Z (string)

dateReserved : 2024-11-22T17:30:02.144Z (string)

assignerOrgId : a0819718-46f1-4df5-94e2-005712e83aaa (string)

datePublished : 2024-11-29T18:43:07.644Z (string)

assignerShortName : GitHub_M (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"cveTags": [], "descriptions": [{"lang": "en", "value": "pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `\"acb\"` being accepted for `\"_abc_\"`. This is a bug introduced in version 2.10.0: checking the \"iss\" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if \"abc\" not in \"__abcd__\":` being checked instead of `if \"abc\" != \"__abc__\":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "pyjwt es una implementaci\u00f3n de JSON Web Token en Python. Se ejecuta una comparaci\u00f3n de cadena incorrecta para la comprobaci\u00f3n de `iss`, lo que da como resultado que `\"acb\"` se acepte en lugar de `\"_abc_\"`. Este es un error introducido en la versi\u00f3n 2.10.0: la comprobaci\u00f3n de la reclamaci\u00f3n \"iss\" cambi\u00f3 de `isinstance(issuer, list)` a `isinstance(issuer, Sequence)`. Dado que str es una secuencia, pero no una lista, `in` tambi\u00e9n se utiliza para la comparaci\u00f3n de cadenas. Esto da como resultado que se compruebe `if \"abc\" not in \"__abcd__\":` en lugar de `if \"abc\" != \"__abc__\":`. Las comprobaciones de firma a\u00fan est\u00e1n presentes, por lo que es probable que el impacto en el mundo real se limite a escenarios de denegaci\u00f3n de servicio. Este problema se ha corregido en la versi\u00f3n 2.10.1. Se recomienda a todos los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad."}], "id": "CVE-2024-53861", "lastModified": "2024-12-02T19:15:12.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-29T19:15:09.433", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366"}, {"source": "security-advisories@github.com", "url": "https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1"}, {"source": "security-advisories@github.com", "url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-697"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

value : pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. (string)

}

1 : { »

lang : es (string)

value : pyjwt es una implementación de JSON Web Token en Python. Se ejecuta una comparación de cadena incorrecta para la comprobación de `iss`, lo que da como resultado que `"acb"` se acepte en lugar de `"_abc_"`. Este es un error introducido en la versión 2.10.0: la comprobación de la reclamación "iss" cambió de `isinstance(issuer, list)` a `isinstance(issuer, Sequence)`. Dado que str es una secuencia, pero no una lista, `in` también se utiliza para la comparación de cadenas. Esto da como resultado que se compruebe `if "abc" not in "__abcd__":` en lugar de `if "abc" != "__abc__":`. Las comprobaciones de firma aún están presentes, por lo que es probable que el impacto en el mundo real se limite a escenarios de denegación de servicio. Este problema se ha corregido en la versión 2.10.1. Se recomienda a todos los usuarios que actualicen. No existen workarounds conocidos para esta vulnerabilidad. (string)

}

]

id : CVE-2024-53861 (string)

lastModified : 2024-12-02T19:15:12.150 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : HIGH (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 2.2 (number)

baseSeverity : LOW (string)

confidentialityImpact : NONE (string)

integrityImpact : LOW (string)

privilegesRequired : HIGH (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 0.7 (number)

impactScore : 1.4 (number)

source : security-advisories@github.com (string)

type : Secondary (string)

}

]

}

published : 2024-11-29T19:15:09.433 (string)

references : [ »

0 : { »

source : security-advisories@github.com (string)

url : https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366 (string)

}

1 : { »

source : security-advisories@github.com (string)

url : https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1 (string)

}

2 : { »

source : security-advisories@github.com (string)

url : https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm (string)

}

]

sourceIdentifier : security-advisories@github.com (string)

vulnStatus : Awaiting Analysis (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-697 (string)

}

]

source : security-advisories@github.com (string)

type : Secondary (string)

}

]

}

Show plain JSON

{"bugzilla": {"description": "pyjwt: Issuer field partial matches allowed in pyjwt", "id": "2329527", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2329527"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-697", "details": ["pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `\"acb\"` being accepted for `\"_abc_\"`. This is a bug introduced in version 2.10.0: checking the \"iss\" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if \"abc\" not in \"__abcd__\":` being checked instead of `if \"abc\" != \"__abc__\":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."], "name": "CVE-2024-53861", "package_state": [{"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Not affected", "package_name": "openshift-lightspeed-tech-preview/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "aap-cloud-metrics-collector-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/de-supported-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-supported-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/platform-resource-runner-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-25/ansible-dev-tools-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3.11-pyjwt", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3x-pyjwt", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python-pyjwt", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "fence-agents", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-pyjwt", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite-capsule:el8/python-pyjwt", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/python-pyjwt", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Not affected", "package_name": "python-pyjwt", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2024-11-29T18:43:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-53861\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53861\nhttps://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366\nhttps://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1\nhttps://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm"], "threat_severity": "Low"}

{

bugzilla : { »

description : pyjwt: Issuer field partial matches allowed in pyjwt (string)

id : 2329527 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2329527 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 2.2 (string)

cvss3_scoring_vector : CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L (string)

status : draft (string)

}

cwe : CWE-697 (string)

details : [ »

0 : pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. (string)

]

name : CVE-2024-53861 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:openshift_lightspeed (string)