Bugzilla – Bug 1226138
VUL-0: CVE-2024-37568: python-Authlib: algorithm confusion with asymmetric public keys
Last modified: 2024-06-19 10:39:47 UTC
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37568 https://www.cve.org/CVERecord?id=CVE-2024-37568 https://github.com/lepture/authlib/issues/654
A fix is available at: https://github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1 (the corresponding GitHub issue, #654, is linked in the commit's description).
This is an autogenerated message for OBS integration: This bug (1226138) was mentioned in https://build.opensuse.org/request/show/1179686 Factory / python-Authlib
SUSE-SU-2024:2064-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1226138 CVE References: CVE-2024-37568 Maintenance Incident: [SUSE:Maintenance:34231](https://smelt.suse.de/incident/34231/) Sources used: openSUSE Leap 15.6 (src): python-Authlib-1.3.1-150600.3.3.1 Python 3 Module 15-SP6 (src): python-Authlib-1.3.1-150600.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.