CVE-2017-11424

Published: Aug 24, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.

Affected (3)

Products: Pyjwt Project: Pyjwt · Debian: Debian Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pyjwt Project Pyjwt	Up to 1.5.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

References (4)

http://www.debian.org/security/2017/dsa-3979

Source: security@duo.com

Third Party Advisory

https://github.com/jpadilla/pyjwt/pull/277

Source: security@duo.com

Issue TrackingPatchThird Party Advisory

http://www.debian.org/security/2017/dsa-3979

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/jpadilla/pyjwt/pull/277

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

Timeline

No history available yet.