[SECURITY] Version 1.2.4 is effected by CVE-2024-23342 in edcsa

intuit / oauth-pythonclient

The Python OAuth client provides a set of methods that make it easier to work with Intuit's OAuth and OpenID Connect implementation.

Apache License 2.0

70 stars 55 forks source link

[SECURITY] Version 1.2.4 is effected by CVE-2024-23342 in edcsa #44

Closed kartikye closed 2 months ago

kartikye commented 8 months ago

https://nvd.nist.gov/vuln/detail/CVE-2024-23342

robert-mings commented 8 months ago

Hey @kartikye, we're on it and are exploring a different cryptographic backend or a new package altogether.

Keep an eye out for updates.

r-thomson commented 8 months ago

edcsa is being brought in by python-jose, which has not had a release since 2021. Most of the Python ecosystem seems to have moved to pyjwt.

geekkun commented 7 months ago

1.2.5 is also affected :(

3point14guy commented 5 months ago

Any updates on this. python-jose is now failing pip audits for these two: https://github.com/advisories?query=GHSA-6c5p-j8vq-pqhj https://github.com/advisories?query=GHSA-cjwg-qfpm-7377

Natim commented 4 months ago

We now have two alternates #48 and #49

yahel2410 commented 3 months ago

Any update on this matter? this CVE affects a lot of our services' score.

robert-mings commented 2 months ago

Hi @kartikye, @r-thomson, @geekkun, @3point14guy, @Natim @yahel2410 - v1.2.6 solves this by moving to pyjwt and is now available. Please update as soon as possible. Thanks!