Search for packages
| purl | pkg:pypi/python-jose@0.1.7 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-az98-gfrm-c3ev
Aliases: CVE-2024-33664 GHSA-cjwg-qfpm-7377 PYSEC-2024-233 |
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319. |
Affected by 0 other vulnerabilities. |
|
VCID-vnjx-j746-z3fn
Aliases: CVE-2024-33663 GHSA-6c5p-j8vq-pqhj PYSEC-2024-232 |
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. |
Affected by 0 other vulnerabilities. |
|
VCID-x2xb-crrp-hfaf
Aliases: CVE-2024-29370 GHSA-h4pw-wxh7-4vjj |
Duplicate Advisory: python-jose denial of service via compressed JWE content ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cjwg-qfpm-7377. This link is maintained to preserve external references. ### Original Description In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. |
Affected by 0 other vulnerabilities. |
|
VCID-zce4-s8rb-kbap
Aliases: CVE-2016-7036 GHSA-w799-prg3-cx77 PYSEC-2017-28 |
python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||