PyPI: python-jose
CVE-2024-33663
Safety vulnerability ID: SFTY-20240426-52327
Safety legacy ID: pyup.io-70715
Affected versions of Python-jose have a algorithm confusion vulnerability with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.
Overview
python-jose algorithm confusion with OpenSSH ECDSA keys
Advisory
Affected versions of Python-jose have a algorithm confusion vulnerability with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.
How to Fix
Upgrade
python-jose
to3.4.0
or higher.Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240426-52327/CVE-2024-33663
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33663
- https://github.com/mpdavis/python-jose/issues/346
- https://nvd.nist.gov/vuln/detail/CVE-2024-33663
- https://github.com/mpdavis/python-jose/issues/346
- https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663
- https://github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2024-232.yaml
- https://github.com/advisories/GHSA-6c5p-j8vq-pqhj
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more