You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was reading this issue in the authlib repo that describes the Algorithm Confusion Vulnerability CVE-2024-37568. Quoting the firsts lines:
If the algorithm field is left unspecified when calling jwt.decode, the library will allow HMAC verification with ANY asymmetric public key. The library does no checks whatsoever to mitigate this. This applies to verification with the algorithms HS256, HS384, and HS512 in lieu of the asymmetric algorithm. This issue is also persistent in joserfc.
However, I did not find any information about the vulnerability in this repo.
Is joserfc vulnerable to Algorithm Confusion? Which versions are affected? Was the issue fixed?
The text was updated successfully, but these errors were encountered:
Hello! Thanks for this awesome project.
I was reading this issue in the
authlibrepo that describes the Algorithm Confusion Vulnerability CVE-2024-37568. Quoting the firsts lines:However, I did not find any information about the vulnerability in this repo.
Is
joserfcvulnerable to Algorithm Confusion? Which versions are affected? Was the issue fixed?The text was updated successfully, but these errors were encountered: