[Python-modules-team] Bug#873244: pyjwt: CVE-2017-11424: Incorrect handling of PEM-encoded public keys

Salvatore Bonaccorso carnil at debian.org
Fri Aug 25 18:59:33 UTC 2017

Source: pyjwt
Version: 1.4.2-1
Severity: important
Tags: security patch upstream
Forwarded: https://github.com/jpadilla/pyjwt/pull/277
Control: found -1 0.2.1-1+deb8u1


the following vulnerability was published for pyjwt.

| In PyJWT 1.5.0 and below the `invalid_strings` check in
| `HMACAlgorithm.prepare_key` does not account for all PEM encoded
| public keys. Specifically, the PKCS1 PEM encoded format would be
| allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC
| KEY-----` which is not accounted for. This enables
| symmetric/asymmetric key confusion attacks against users using the
| PKCS1 PEM encoded public keys, which would allow an attacker to craft
| JWTs from scratch.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11424

Please adjust the affected versions in the BTS as needed. I think this
should be present as well in 0.2.1-1+deb8u1.


More information about the Python-modules-team mailing list