python-jose issues

Algorithm confusion with OpenSSH ECDSA keys and other key formats

1

we are getting the above issue as part of security vulnerability assessments. Can you please work on this issue as priority.

shripad-bhat

LLM tool generated fix for CVE-2024-33663

1

LLM tool generated fix for CVE-2024-33663

Chamiduz

Native .deb release for Debian 13 (Trixie)

Are there plans to release this package via the debian package repositories for Debian 13 (Trixie)? For Bookworm there was this. => [https://packages.debian.org/bookworm/python3-jose](https://packages.debian.org/bookworm/python3-jose), [https://packages.debian.org/search?keywords=python3-jose](https://packages.debian.org/search?keywords=python3-jose) That was very convenient, because then...

collinwebdesigns

Weak Key Acceptance and Curve Mismatch in ECDSA (ES256/ES384/ES512) Signature Validation

1

Hi, We are a research group dedicated to helping developers build secure and standards-compliant cryptographic software. As part of an ongoing study on JWT security, we developed an automated detector...

JWTSecAPI

Jwt audience validation: support array instead of only string

Current implementation of jwt.decode with audience support only one string: https://github.com/mpdavis/python-jose/blob/master/jose/jwt.py#L483 while pyjwt support a list of audiences: https://github.com/jpadilla/pyjwt/blob/master/jwt/api_jwt.py#L499 as well as authlib: https://github.com/lepture/authlib/blob/main/authlib/jose/rfc7519/claims.py#L130 but authlib is quite different implementation....

ericbl

CVE-2024-33663 IS COMING FOR PYTHON JOSE LATEST VERSION 3.3.0

1

CVE-2024-33663 IS COMING FOR PYTHON JOSE LATEST VERSION 3.3.0 Hi Team, We are facing CVE-2024-33663 with latest version.Can u help when this will be resolved.

parulchawla894

algorithm confusion issue

1

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. Below are the risk factors associated to this issue - Critical...

prasadayush