Advisories for Pypi/Commonground-Api-Common package

2024

commonground-api-common unexploitable privilege escalation in JWT authentication middleware

Impact This is a privilege escalation vulnerability. The impact is negligible and entirely theoretical. A non-exploitable weakness was found in how the client-supplied JWTs are verified. Because an explicit allow-list of known algorithms is used in the PyJWT library, user-supplied (invalid) algorithms are rejected. If this was not the case, then the client JWTs could be tampered with, resulting in privilege escalation which would allow the attacker to perform any …