flask-jwt-extended icon indicating copy to clipboard operation
flask-jwt-extended copied to clipboard

Published 20 hours ago verified publisher icon vimalloc

Minimum cryptography version is vulnerable to CVE

Open jtait opened this issue 1 year ago • 1 comments

I see in #535 there is a bump to cryptography up to version 41.0.6. This bump only applies to requirements.txt and not setup.py, so the version of flask-jwt-extended installed from PyPI doesn't enforce the minimum version. This allows an installation to use a vulnerable version of Cryptography with this library.

I didn't open a pull request because I'm not sure if you want to force users to upgrade. The current setup doesn't prevent users from upgrading but in my own case I updated flask-jwt-extended using Poetry in my project and a new version of cryptography wasn't installed automatically.

Is this something you want addressed? If not it might be worth adding a note to the docs warning against the vulnerable dependency.

jtait avatar Jan 06 '24 18:01 jtait

This was the original reason why it is setup the way it is: https://github.com/vimalloc/flask-jwt-extended/issues/467#issue-1143611571

I'm honestly not sure what best practices would dictate here. I'll think on this, and welcome any input that you or others may have!

vimalloc avatar Jan 07 '24 20:01 vimalloc