Incorrect Comparison in jpadilla pyjwt
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-53861 |
| CWE-ID | CWE-697 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
pyjwt Other software / Other software solutions |
| Vendor | jpadilla (José Padilla) |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Incorrect Comparison
EUVDB-ID: #VU103946
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-53861
CWE-ID:
CWE-697 - Incorrect Comparison
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to modify data on the system.
The vulnerability exists due to an incorrect string comparison being run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. A remote attacker can trigger incorrect comparisons and modify data on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionspyjwt: 2.10.0
CPE2.3 External linkshttp://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366
http://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1
http://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
