CVE-2022-3102 log

Source
Severity Medium
Remote Yes
Type Authentication bypass
Description
The JWT code can auto-detect the type of token being provided, and this can lead the application to incorrect conclusions about the trustworthiness of the token.
Quoting the private disclosure we received : "Under certain circumstances, it is possible to substitute a [..] signed JWS with a JWE that is encrypted with the public key that is normally used for signature validation." This substitution attack can occur only if the validating application also have access to the private key, normally used to sign the tokens, available during validation of the received JWT.

The significance of this attacks depends on the use of the token, it may lead to authentication bypass or authorization bypass (respectively if claims are used to authenticate or authorize certain actions), because the attacker has full control of the data placed in the JWE and can inject any desired claim value.
Group Package Affected Fixed Severity Status Ticket
AVG-2797 python-jwcrypto 1.3.1-1 1.4.0-1 Medium Fixed
References
https://github.com/latchset/jwcrypto/pull/299/commits/ed1812083b22aeee7dfcc6dc21a467fab4005903
https://github.com/latchset/jwcrypto/pull/299/commits/5649eac6f3d98b48b140beb2ecccfcc2110302e5
https://github.com/latchset/jwcrypto/pull/299