Incorrect Comparison in pyjwt - CVE-2024-53861
Published: February 13, 2025
Vulnerability identifier: #VU103946
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-53861
CWE-ID: CWE-697
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: jpadilla (José Padilla)
Affected software:
pyjwt
pyjwt
Detailed vulnerability description
The vulnerability allows a remote attacker to modify data on the system.
The vulnerability exists due to an incorrect string comparison being run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. A remote attacker can trigger incorrect comparisons and modify data on the system.
How to mitigate CVE-2024-53861
Install updates from vendor's website.
Sources
- https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366
- https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1
- https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm