Bug 1226138 (CVE-2024-37568)

Summary: VUL-0: CVE-2024-37568: python-Authlib: algorithm confusion with asymmetric public keys
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: camila.matos, daniel.garcia
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/409870/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-37568:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-10 10:50:37 UTC 
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37568
https://www.cve.org/CVERecord?id=CVE-2024-37568
https://github.com/lepture/authlib/issues/654
Comment 2 Camila Camargo de Matos 2024-06-10 10:54:42 UTC 
A fix is available at: https://github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1 (the corresponding GitHub issue, #654, is linked in the commit's description).
Comment 3 OBSbugzilla Bot 2024-06-10 11:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1226138) was mentioned in
https://build.opensuse.org/request/show/1179686 Factory / python-Authlib
Comment 5 Maintenance Automation 2024-06-18 12:30:16 UTC 
SUSE-SU-2024:2064-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1226138
CVE References: CVE-2024-37568
Maintenance Incident: [SUSE:Maintenance:34231](https://smelt.suse.de/incident/34231/)
Sources used:
openSUSE Leap 15.6 (src):
 python-Authlib-1.3.1-150600.3.3.1
Python 3 Module 15-SP6 (src):
 python-Authlib-1.3.1-150600.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.