cvelistv5 - cve-2022-39227

CVE-2022-39227 (GCVE-0-2022-39227)

Vulnerability from cvelistv5

Published

2022-09-23 06:55

Modified

2024-08-03 12:00

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-290 - Authentication Bypass by Spoofing

Summary

python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

References

URL

Tags

security-advisories@github.com	https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9	Patch
security-advisories@github.com	https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml	Third Party Advisory
security-advisories@github.com	https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt
af854a3a-2127-422b-91ae-364da2661108	https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt

Impacted products

	Vendor	Product	Version
	davedoesdev	python-jwt	Version: < 3.3.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-39227",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-10T20:53:18.535735Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-10T20:53:34.449Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:00:43.537Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "python-jwt",
          "vendor": "davedoesdev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.3.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290: Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-10T20:13:44.143775",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp"
        },
        {
          "url": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9"
        },
        {
          "url": "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml"
        },
        {
          "url": "https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt"
        }
      ],
      "source": {
        "advisory": "GHSA-5p8v-58qm-c7fp",
        "discovery": "UNKNOWN"
      },
      "title": "Python-jwt subject to Authentication Bypass by Spoofing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-39227",
    "datePublished": "2022-09-23T06:55:09",
    "dateReserved": "2022-09-02T00:00:00",
    "dateUpdated": "2024-08-03T12:00:43.537Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-39227\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-09-23T07:15:09.300\",\"lastModified\":\"2024-11-21T07:17:49.730\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.\"},{\"lang\":\"es\",\"value\":\"python-jwt es un m\u00f3dulo para generar y verificar tokens web JSON. Las versiones anteriores a 3.3.4, est\u00e1n sujetas a Una Omisi\u00f3n de la Autenticaci\u00f3n por medio de Suplantaci\u00f3n, resultando en una suplantaci\u00f3n de identidad, secuestro de la sesi\u00f3n o omisi\u00f3n de autenticaci\u00f3n. Un atacante que obtiene un JWT puede falsificar arbitrariamente su contenido sin conocer la clave secreta. Dependiendo de la aplicaci\u00f3n, esto puede permitir al atacante, por ejemplo, falsificar la identidad de otros usuarios, secuestrar sus sesiones o omitir la autenticaci\u00f3n. Los usuarios deben actualizar a versi\u00f3n 3.3.4. No se presentan mitigaciones conocidas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python-jwt_project:python-jwt:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.3.4\",\"matchCriteriaId\":\"2695CD7F-DF01-4804-9795-E4C7D9AE0684\"}]}]}],\"references\":[{\"url\":\"https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:00:43.537Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-39227\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-10T20:53:18.535735Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-10T20:53:31.903Z\"}}], \"cna\": {\"title\": \"Python-jwt subject to Authentication Bypass by Spoofing\", \"source\": {\"advisory\": \"GHSA-5p8v-58qm-c7fp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"davedoesdev\", \"product\": \"python-jwt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.3.4\"}]}], \"references\": [{\"url\": \"https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp\"}, {\"url\": \"https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9\"}, {\"url\": \"https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml\"}, {\"url\": \"https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290: Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-10T20:13:44.143775\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-39227\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-03T12:00:43.537Z\", \"dateReserved\": \"2022-09-02T00:00:00\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-09-23T06:55:09\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2022-39227

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-39227

Aliases

CVE-2022-39227

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-39227",
    "description": "python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.",
    "id": "GSD-2022-39227"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-39227"
      ],
      "details": "python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.",
      "id": "GSD-2022-39227",
      "modified": "2023-12-13T01:19:20.552205Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-39227",
        "STATE": "PUBLIC",
        "TITLE": "Python-jwt subject to Authentication Bypass by Spoofing"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "python-jwt",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 3.3.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "davedoesdev"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-290: Authentication Bypass by Spoofing"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp",
            "refsource": "CONFIRM",
            "url": "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp"
          },
          {
            "name": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9",
            "refsource": "MISC",
            "url": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9"
          },
          {
            "name": "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml",
            "refsource": "MISC",
            "url": "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-5p8v-58qm-c7fp",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=3.0.0,\u003c3.3.4",
          "affected_versions": "All versions starting from 3.0.0 before 3.3.4",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-290",
            "CWE-937"
          ],
          "date": "2023-03-04",
          "description": "python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.",
          "fixed_versions": [
            "3.3.4"
          ],
          "identifier": "CVE-2022-39227",
          "identifiers": [
            "CVE-2022-39227",
            "GHSA-5p8v-58qm-c7fp",
            "GMS-2022-4408"
          ],
          "not_impacted": "All versions before 3.0.0, all versions starting from 3.3.4",
          "package_slug": "pypi/python-jwt",
          "pubdate": "2022-09-23",
          "solution": "Upgrade to version 3.3.4 or above.",
          "title": "Authentication Bypass by Spoofing",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-39227",
            "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9",
            "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp",
            "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml",
            "https://github.com/davedoesdev/python-jwt/commit/6c5075469847b9e8b6e5336077d989d77a4d2bf1",
            "https://github.com/advisories/GHSA-5p8v-58qm-c7fp"
          ],
          "uuid": "4d7f49b7-77b2-4062-9aad-74d16a7c9473"
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions before 3.3.4",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-09-21",
          "description": "### Impact\nAn attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication.\n\n### Patches\nUsers should upgrade to version 3.3.4\nFixed by: https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9\n\n ### Workarounds\nNone\n\n### References\nFound by [Tom Tervoort](Tom.Tervoort@secura.com)\n https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml\n\n ### More information\n\nThe vulnerability allows an attacker, who possesses a single valid JWT, to create a new token with forged claims that the verify_jwt function will accept as valid.\n\nThe issue is caused by an inconsistency between the JWT parsers used by python-jwt and its dependency jwcrypto. By mixing compact and JSON representations, an attacker can trick jwcrypto of parsing different claims than those over which a signature is validated by jwcrypto.\n\nTesting the fix has been added as an [automated unit test](https://github.com/davedoesdev/python-jwt/blob/master/test/vulnerability_vows.py) to python-jwt.\n\nIf you have any questions or comments about this advisory, please open an issue in [python-jwt](https://github.com/davedoesdev/python-jwt)\n",
          "fixed_versions": [
            "3.3.4"
          ],
          "identifier": "GMS-2022-4408",
          "identifiers": [
            "GHSA-5p8v-58qm-c7fp",
            "GMS-2022-4408",
            "CVE-2022-39227"
          ],
          "not_impacted": "All versions starting from 3.3.4",
          "package_slug": "pypi/python-jwt",
          "pubdate": "2022-09-21",
          "solution": "Upgrade to version 3.3.4 or above.",
          "title": "Duplicate of ./pypi/python-jwt/CVE-2022-39227.yml",
          "urls": [
            "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp",
            "https://github.com/davedoesdev/python-jwt/commit/6c5075469847b9e8b6e5336077d989d77a4d2bf1",
            "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9",
            "https://github.com/advisories/GHSA-5p8v-58qm-c7fp"
          ],
          "uuid": "e0d631d7-3062-4e5a-915b-9135368248b9"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:python-jwt_project:python-jwt:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.3.4",
                "versionStartIncluding": "3.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-39227"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-290"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9"
            },
            {
              "name": "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp"
            },
            {
              "name": "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2023-03-04T01:43Z",
      "publishedDate": "2022-09-23T07:15Z"
    }
  }
}

pysec-2022-259

Vulnerability from pysec

Published

2022-09-01 18:51

Modified

2022-09-05 01:24

Details

An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication.

Impacted products

Name	purl
python-jwt	pkg:pypi/python-jwt

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-jwt",
        "purl": "pkg:pypi/python-jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "f6d1451012c6a04c2fb1940f0bbd93bb6cf2b025"
            },
            {
              "fixed": "88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9"
            }
          ],
          "repo": "https://github.com/davedoesdev/python-jwt",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.3.0",
        "3.1.0",
        "3.2.0",
        "3.2.1",
        "3.2.2",
        "3.2.3",
        "3.2.4",
        "3.2.5",
        "3.2.6",
        "3.3.0",
        "3.3.1",
        "3.3.2",
        "3.3.3",
        "3.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39227",
    "GHSA-5p8v-58qm-c7fp"
  ],
  "details": "An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication.",
  "id": "PYSEC-2022-259",
  "modified": "2022-09-05T01:24:44.773501Z",
  "published": "2022-09-01T18:51:51Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9"
    }
  ]
}

msrc_cve-2022-39227

Vulnerability from csaf_microsoft

Published

2022-09-02 00:00

Modified

2025-07-11 00:00

Summary

Python-jwt subject to Authentication Bypass by Spoofing

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2022-39227 Python-jwt subject to Authentication Bypass by Spoofing - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-39227.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Python-jwt subject to Authentication Bypass by Spoofing",
    "tracking": {
      "current_release_date": "2025-07-11T00:00:00.000Z",
      "generator": {
        "date": "2025-10-19T23:55:36.228Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2022-39227",
      "initial_release_date": "2022-09-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-09-29T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2025-07-11T00:00:00.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Added python-jwt to CBL-Mariner 1.0\nAdded python-jwt to CBL-Mariner 2.0"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.0",
                "product": {
                  "name": "CBL Mariner 1.0",
                  "product_id": "16820"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              },
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccm1 python-jwt 2.4.0-2",
                "product": {
                  "name": "\u003ccm1 python-jwt 2.4.0-2",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "cm1 python-jwt 2.4.0-2",
                "product": {
                  "name": "cm1 python-jwt 2.4.0-2",
                  "product_id": "18603"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 python-jwt 2.4.0-2",
                "product": {
                  "name": "\u003ccbl2 python-jwt 2.4.0-2",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 python-jwt 2.4.0-2",
                "product": {
                  "name": "cbl2 python-jwt 2.4.0-2",
                  "product_id": "18604"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 python-jwt 2.8.0-2",
                "product": {
                  "name": "\u003cazl3 python-jwt 2.8.0-2",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 python-jwt 2.8.0-2",
                "product": {
                  "name": "azl3 python-jwt 2.8.0-2",
                  "product_id": "20159"
                }
              }
            ],
            "category": "product_name",
            "name": "python-jwt"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccm1 python-jwt 2.4.0-2 as a component of CBL Mariner 1.0",
          "product_id": "16820-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cm1 python-jwt 2.4.0-2 as a component of CBL Mariner 1.0",
          "product_id": "18603-16820"
        },
        "product_reference": "18603",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 python-jwt 2.4.0-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 python-jwt 2.4.0-2 as a component of CBL Mariner 2.0",
          "product_id": "18604-17086"
        },
        "product_reference": "18604",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 python-jwt 2.8.0-2 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 python-jwt 2.8.0-2 as a component of Azure Linux 3.0",
          "product_id": "20159-17084"
        },
        "product_reference": "20159",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-39227",
      "cwe": {
        "id": "CWE-290",
        "name": "Authentication Bypass by Spoofing"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "18603-16820",
          "18604-17086",
          "20159-17084"
        ],
        "known_affected": [
          "16820-3",
          "17086-2",
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-39227 Python-jwt subject to Authentication Bypass by Spoofing - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-39227.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-29T00:00:00.000Z",
          "details": "2.4.0-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "16820-3",
            "17086-2"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-09-29T00:00:00.000Z",
          "details": "2.8.0-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-1"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.1,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "16820-3",
            "17086-2",
            "17084-1"
          ]
        }
      ],
      "title": "Python-jwt subject to Authentication Bypass by Spoofing"
    }
  ]
}

fkie_cve-2022-39227

Vulnerability from fkie_nvd

Published

2022-09-23 07:15

Modified

2024-11-21 07:17

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9	Patch
security-advisories@github.com	https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml	Third Party Advisory
security-advisories@github.com	https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt
af854a3a-2127-422b-91ae-364da2661108	https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt

Impacted products

	Vendor	Product	Version
	python-jwt_project	python-jwt	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:python-jwt_project:python-jwt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2695CD7F-DF01-4804-9795-E4C7D9AE0684",
              "versionEndExcluding": "3.3.4",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds."
    },
    {
      "lang": "es",
      "value": "python-jwt es un m\u00f3dulo para generar y verificar tokens web JSON. Las versiones anteriores a 3.3.4, est\u00e1n sujetas a Una Omisi\u00f3n de la Autenticaci\u00f3n por medio de Suplantaci\u00f3n, resultando en una suplantaci\u00f3n de identidad, secuestro de la sesi\u00f3n o omisi\u00f3n de autenticaci\u00f3n. Un atacante que obtiene un JWT puede falsificar arbitrariamente su contenido sin conocer la clave secreta. Dependiendo de la aplicaci\u00f3n, esto puede permitir al atacante, por ejemplo, falsificar la identidad de otros usuarios, secuestrar sus sesiones o omitir la autenticaci\u00f3n. Los usuarios deben actualizar a versi\u00f3n 3.3.4. No se presentan mitigaciones conocidas."
    }
  ],
  "id": "CVE-2022-39227",
  "lastModified": "2024-11-21T07:17:49.730",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-09-23T07:15:09.300",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

ghsa-5p8v-58qm-c7fp

Vulnerability from github

Published

2022-09-21 21:33

Modified

2024-07-10 21:32

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

python-jwt vulnerable to token forgery with new claims

Details

Impact

Patches

Users should upgrade to version 3.3.4 Fixed by: https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9

Workarounds

None

References

Found by Tom Tervoort https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml

More information

The vulnerability allows an attacker, who possesses a single valid JWT, to create a new token with forged claims that the verify_jwt function will accept as valid.

The issue is caused by an inconsistency between the JWT parsers used by python-jwt and its dependency jwcrypto. By mixing compact and JSON representations, an attacker can trick jwcrypto of parsing different claims than those over which a signature is validated by jwcrypto.

Testing the fix has been added as an automated unit test to python-jwt.

If you have any questions or comments about this advisory, please open an issue in python-jwt

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-21T21:33:22Z",
    "nvd_published_at": "2022-09-23T07:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nAn attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication.\n\n### Patches\nUsers should upgrade to version 3.3.4\nFixed by: https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9\n\n### Workarounds\nNone\n\n### References\nFound by [Tom Tervoort](Tom.Tervoort@secura.com)\nhttps://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml\n\n### More information\n\nThe vulnerability allows an attacker, who possesses a single valid JWT, to create a new token with forged claims that the verify_jwt function will accept as valid.\n\nThe issue is caused by an inconsistency between the JWT parsers used by python-jwt and its dependency jwcrypto. By mixing compact and JSON representations, an attacker can trick jwcrypto of parsing different claims than those over which a signature is validated by jwcrypto.\n\nTesting the fix has been added as an [automated unit test](https://github.com/davedoesdev/python-jwt/blob/master/test/vulnerability_vows.py) to python-jwt.\n\nIf you have any questions or comments about this advisory, please open an issue in [python-jwt](https://github.com/davedoesdev/python-jwt)\n",
  "id": "GHSA-5p8v-58qm-c7fp",
  "modified": "2024-07-10T21:32:14Z",
  "published": "2022-09-21T21:33:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39227"
    },
    {
      "type": "WEB",
      "url": "https://github.com/davedoesdev/python-jwt/commit/6c5075469847b9e8b6e5336077d989d77a4d2bf1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/davedoesdev/python-jwt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "python-jwt vulnerable to token forgery with new claims"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-39227 (GCVE-0-2022-39227)

Vulnerability from cvelistv5

gsd-2022-39227

Vulnerability from gsd

pysec-2022-259

Vulnerability from pysec

msrc_cve-2022-39227

Vulnerability from csaf_microsoft

fkie_cve-2022-39227

Vulnerability from fkie_nvd

ghsa-5p8v-58qm-c7fp

Vulnerability from github

Impact

Patches

Workarounds

References

More information

Tags

Sightings

Nomenclature