Description

pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2024-11-29T18:43:07.644Z

Last Modified :

2024-12-02T18:10:35.507Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-53861 vulnerability.

Vendors Products
Pyjwt Project
  • Pyjwt
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-53861.

URL Resource
https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366 cve-icon cve-icon cve-icon
https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1 cve-icon cve-icon cve-icon
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-53861 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-53861 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact