oauth-pythonclient icon indicating copy to clipboard operation
oauth-pythonclient copied to clipboard

Published 20 hours ago verified publisher icon intuit

[SECURITY] Version 1.2.4 is effected by CVE-2024-23342 in edcsa

Open kartikye opened this issue 1 year ago • 5 comments

https://nvd.nist.gov/vuln/detail/CVE-2024-23342

kartikye avatar Feb 13 '24 22:02 kartikye

Hey @kartikye, we're on it and are exploring a different cryptographic backend or a new package altogether.

Keep an eye out for updates.

robert-mings avatar Feb 16 '24 04:02 robert-mings

edcsa is being brought in by python-jose, which has not had a release since 2021. Most of the Python ecosystem seems to have moved to pyjwt.

r-thomson avatar Feb 20 '24 19:02 r-thomson

1.2.5 is also affected :(

geekkun avatar Mar 01 '24 12:03 geekkun

Any updates on this. python-jose is now failing pip audits for these two: https://github.com/advisories?query=GHSA-6c5p-j8vq-pqhj https://github.com/advisories?query=GHSA-cjwg-qfpm-7377

3point14guy avatar Apr 26 '24 20:04 3point14guy

We now have two alternates #48 and #49

Natim avatar May 28 '24 12:05 Natim

Any update on this matter? this CVE affects a lot of our services' score.

yahel2410 avatar Jul 14 '24 14:07 yahel2410

Hi @kartikye, @r-thomson, @geekkun, @3point14guy, @Natim @yahel2410 - v1.2.6 solves this by moving to pyjwt and is now available. Please update as soon as possible. Thanks!

robert-mings avatar Aug 01 '24 00:08 robert-mings