Search for packages
| purl | pkg:pypi/python-jose@3.3.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-az98-gfrm-c3ev
Aliases: CVE-2024-33664 GHSA-cjwg-qfpm-7377 PYSEC-2024-233 |
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319. |
Affected by 0 other vulnerabilities. |
|
VCID-vnjx-j746-z3fn
Aliases: CVE-2024-33663 GHSA-6c5p-j8vq-pqhj PYSEC-2024-232 |
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. |
Affected by 0 other vulnerabilities. |
|
VCID-x2xb-crrp-hfaf
Aliases: CVE-2024-29370 GHSA-h4pw-wxh7-4vjj |
Duplicate Advisory: python-jose denial of service via compressed JWE content ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cjwg-qfpm-7377. This link is maintained to preserve external references. ### Original Description In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||