CVE-2024-37568

Publication date 9 June 2024

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-authlib	24.10 oracular	Needs evaluation
	24.04 LTS noble	Vulnerable
	23.10 mantic	Ignored end of life, was needed
	22.04 LTS jammy	Vulnerable
	20.04 LTS focal	Not in release

How can I get the fixes?
What do statuses mean?

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-37568
https://github.com/lepture/authlib/issues/654
https://github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1 (v1.3.1)