lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)
References
Configurations
History
15 Aug 2024, 16:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-284 |
25 Jul 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jun 2024, 09:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
18 Jun 2024, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Jun 2024, 13:29
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
CPE | cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:* | |
References | () https://github.com/lepture/authlib/issues/654 - Exploit, Issue Tracking | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | CWE-347 | |
First Time |
Authlib authlib
Authlib |
09 Jun 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-09 19:15
Updated : 2024-08-15 16:35
NVD link : CVE-2024-37568
Mitre link : CVE-2024-37568
CVE.ORG link : CVE-2024-37568
JSON object : View
Products Affected
authlib
- authlib