-
Notifications
You must be signed in to change notification settings - Fork 70
/
Copy pathPYSEC-2022-259.yaml
43 lines (43 loc) · 1.02 KB
/
PYSEC-2022-259.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
id: PYSEC-2022-259
details: An attacker who obtains a JWT can arbitrarily forge its contents without
knowing the secret key. Depending on the application, this may for example enable
the attacker to spoof other user's identities, hijack their sessions, or bypass
authentication.
modified: '2022-09-05T01:24:44.773501Z'
published: '2022-09-01T18:51:51Z'
references:
- type: FIX
url: https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9
affected:
- package:
name: python-jwt
ecosystem: PyPI
purl: pkg:pypi/python-jwt
ranges:
- type: GIT
repo: https://github.com/davedoesdev/python-jwt
events:
- introduced: f6d1451012c6a04c2fb1940f0bbd93bb6cf2b025
- fixed: 88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9
- type: ECOSYSTEM
events:
- introduced: 3.0.0
- fixed: 3.3.4
versions:
- 3.3.0
- 3.1.0
- 3.2.0
- 3.2.1
- 3.2.2
- 3.2.3
- 3.2.4
- 3.2.5
- 3.2.6
- 3.3.0
- 3.3.1
- 3.3.2
- 3.3.3
- 3.0.0
aliases:
- CVE-2022-39227
- GHSA-5p8v-58qm-c7fp