python-jose algorithm confusion with OpenSSH ECDSA keys · CVE-2024-33663 · GitHub Advisory Database · GitHub

python-jose algorithm confusion with OpenSSH ECDSA keys

High severity GitHub Reviewed Published Apr 26, 2024 to the GitHub Advisory Database • Updated Apr 26, 2024

Package

python-jose (pip)

Affected versions

<= 3.3.0

Patched versions

None

Description

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

References

Published by the National Vulnerability Database

Apr 26, 2024

Published to the GitHub Advisory Database Apr 26, 2024

Last updated Apr 26, 2024

Reviewed Apr 26, 2024

Severity

High

7.4

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N