python-jose icon indicating copy to clipboard operation
python-jose copied to clipboard
verified publisher icon mpdavis

jwk.py

Open mr-n30 opened this issue 2 years ago • 0 comments

Hello world,

The function construct in

https://github.com/mpdavis/python-jose/blob/4b0701b46a8d00988afcc5168c2b3a1fd60d15d8/jose/jwk.py#L63

contains an Generation of Error Message Containing Sensitive Information vulnerability that allows an attacker to view the victims Secret Key that is used to sign tokens. With the secret key an attacker would be able to create and sign valid tokens on the victims site and bypass authentication if JWT's are used for authorizing a user via the HTTP Authorization header for example. I've submitted a fix and PR:

https://github.com/mpdavis/python-jose/pull/328

Best regards, mr-n30

mr-n30 avatar Aug 16 '23 20:08 mr-n30