ghsa-75c5-xw7c-p5pm
Vulnerability from github
Published
2024-12-02 18:34
Modified
2024-12-02 18:34
Severity ?
2.2 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
2.1 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
PyJWT Issuer field partial matches allowed
Details

Summary

The wrong string if check is run for iss checking, resulting in "acb" being accepted for "_abc_".

Details

This is a bug introduced in version 2.10.0: checking the "iss" claim changed from isinstance(issuer, list) to isinstance(issuer, Sequence).

diff - if isinstance(issuer, list): + if isinstance(issuer, Sequence): if payload["iss"] not in issuer: raise InvalidIssuerError("Invalid issuer") else:

Since str is a Sequnce, but not a list, in is also used for string comparison. This results in if "abc" not in "__abcd__": being checked instead of if "abc" != "__abc__":.

PoC

Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm ```python issuer = "urn:expected"

    payload = {"iss": "urn:"}

    token = jwt.encode(payload, "secret")

    # decode() succeeds, even though `"urn:" != "urn:expected". No exception is raised.
    with pytest.raises(InvalidIssuerError):
        jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"])

```

Impact

I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.

Show details on source website

To clipboard 

{
   affected: [
      {
         package: {
            ecosystem: "PyPI",
            name: "PyJWT",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "2.10.0",
                  },
                  {
                     fixed: "2.10.1",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
         versions: [
            "2.10.0",
         ],
      },
   ],
   aliases: [
      "CVE-2024-53861",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-697",
      ],
      github_reviewed: true,
      github_reviewed_at: "2024-12-02T18:34:11Z",
      nvd_published_at: "2024-11-29T19:15:09Z",
      severity: "LOW",
   },
   details: "### Summary\nThe wrong string if check is run for `iss` checking, resulting in `\"acb\"` being accepted for `\"_abc_\"`.\n\n### Details\nThis is a bug introduced in version [2.10.0](https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366): checking the \"iss\" claim\nchanged from `isinstance(issuer, list)` to `isinstance(issuer,\nSequence)`.\n\n```diff\n-        if isinstance(issuer, list):\n+        if isinstance(issuer, Sequence):\n            if payload[\"iss\"] not in issuer:\n                raise InvalidIssuerError(\"Invalid issuer\")\n        else:\n```\n\nSince str is a Sequnce, but not a list, `in` is also used for string\ncomparison. This results in `if \"abc\" not in \"__abcd__\":` being\nchecked instead of `if \"abc\" != \"__abc__\":`.\n### PoC\nCheck out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm\n```python\n        issuer = \"urn:expected\"\n\n        payload = {\"iss\": \"urn:\"}\n\n        token = jwt.encode(payload, \"secret\")\n\n        # decode() succeeds, even though `\"urn:\" != \"urn:expected\". No exception is raised.\n        with pytest.raises(InvalidIssuerError):\n            jwt.decode(token, \"secret\", issuer=issuer, algorithms=[\"HS256\"])\n```\n\n\n### Impact\n\nI would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.\n",
   id: "GHSA-75c5-xw7c-p5pm",
   modified: "2024-12-02T18:34:11Z",
   published: "2024-12-02T18:34:11Z",
   references: [
      {
         type: "WEB",
         url: "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm",
      },
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-53861",
      },
      {
         type: "WEB",
         url: "https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366",
      },
      {
         type: "WEB",
         url: "https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/jpadilla/pyjwt",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N",
         type: "CVSS_V3",
      },
      {
         score: "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
         type: "CVSS_V4",
      },
   ],
   summary: "PyJWT Issuer field partial matches allowed",
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.