python_jose-2.0.2-py2.py3-none-any.whl: 2 vulnerabilities (highest severity is: 6.5) #136
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
JOSE implementation in Python
Library home page: https://files.pythonhosted.org/packages/bf/5c/5fa238c0c5b0656994b52721dd8b1d7bf52ebd8786518dde794f44de86b6/python_jose-2.0.2-py2.py3-none-any.whl
Path to dependency file: /embedding/requirements.txt
Path to vulnerable library: /embedding/requirements.txt
Found in HEAD commit: f548525baaf6d16b6a6edc667027ce1b0516e50f
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - python_jose-2.0.2-py2.py3-none-any.whl
JOSE implementation in Python
Library home page: https://files.pythonhosted.org/packages/bf/5c/5fa238c0c5b0656994b52721dd8b1d7bf52ebd8786518dde794f44de86b6/python_jose-2.0.2-py2.py3-none-any.whl
Path to dependency file: /embedding/requirements.txt
Path to vulnerable library: /embedding/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: f548525baaf6d16b6a6edc667027ce1b0516e50f
Found in base branch: main
Vulnerability Details
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.
Publish Date: 2024-04-25
URL: CVE-2024-33663
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - python_jose-2.0.2-py2.py3-none-any.whl
JOSE implementation in Python
Library home page: https://files.pythonhosted.org/packages/bf/5c/5fa238c0c5b0656994b52721dd8b1d7bf52ebd8786518dde794f44de86b6/python_jose-2.0.2-py2.py3-none-any.whl
Path to dependency file: /embedding/requirements.txt
Path to vulnerable library: /embedding/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: f548525baaf6d16b6a6edc667027ce1b0516e50f
Found in base branch: main
Vulnerability Details
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.
Publish Date: 2024-04-25
URL: CVE-2024-33664
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: