VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-42yf-7k7m-dkf6

Essentials
Severities (27)
References (12)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-42yf-7k7m-dkf6
Aliases	CVE-2017-11424 GHSA-r9jw-mwhq-wp62 PYSEC-2017-24
Summary	In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-11424.json
epss	0.00193	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.00193	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.00525	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.00525	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.00847	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.00847	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.01288	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.01288	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.01288	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.01288	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.01288	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.01288	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.01288	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.01288	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
epss	0.01288	https://api.first.org/data/v1/epss?cve=CVE-2017-11424
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-r9jw-mwhq-wp62
cvssv3.1	7.5	https://github.com/jpadilla/pyjwt
generic_textual	HIGH	https://github.com/jpadilla/pyjwt
cvssv3.1	7.5	https://github.com/jpadilla/pyjwt/pull/277
generic_textual	HIGH	https://github.com/jpadilla/pyjwt/pull/277
cvssv3.1	7.5	https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2017-24.yaml
generic_textual	HIGH	https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2017-24.yaml
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2017-11424
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2017-11424
cvssv3.1	7.5	http://www.debian.org/security/2017/dsa-3979
generic_textual	HIGH	http://www.debian.org/security/2017/dsa-3979

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-11424.json
		https://api.first.org/data/v1/epss?cve=CVE-2017-11424
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11424
		https://github.com/advisories/GHSA-r9jw-mwhq-wp62
		https://github.com/jpadilla/pyjwt
		https://github.com/jpadilla/pyjwt/pull/277
		https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2017-24.yaml
		http://www.debian.org/security/2017/dsa-3979
1482529		https://bugzilla.redhat.com/show_bug.cgi?id=1482529
873244		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873244
CVE-2017-11424		https://nvd.nist.gov/vuln/detail/CVE-2017-11424
USN-3407-1		https://usn.ubuntu.com/3407-1/

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-11424.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/jpadilla/pyjwt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/jpadilla/pyjwt/pull/277

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2017-24.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-11424

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://www.debian.org/security/2017/dsa-3979

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.41021
EPSS Score	0.00193
Published At	April 26, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:41:32.401641+00:00	Pypa Importer	Import	https://github.com/pypa/advisory-database/blob/main/vulns/pyjwt/PYSEC-2017-24.yaml	38.0.0