CVE-2024-37568: Authlib has algorithm confusion with asymmetric public keys

June 9, 2024 (updated June 10, 2024)

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

References

github.com/advisories/GHSA-5357-c2jx-v7qh
github.com/lepture/authlib
github.com/lepture/authlib/issues/654
github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2024-52.yaml
nvd.nist.gov/vuln/detail/CVE-2024-37568

Detect and mitigate CVE-2024-37568 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →