contains an Generation of Error Message Containing Sensitive Information vulnerability that allows an attacker to view the victims Secret Key that is used to sign tokens. With the secret key an attacker would be able to create and sign valid tokens on the victims site and bypass authentication if JWT's are used for authorizing a user via the HTTP Authorization header for example. I've submitted a fix and PR:
Hello world,
The function
constructinhttps://github.com/mpdavis/python-jose/blob/4b0701b46a8d00988afcc5168c2b3a1fd60d15d8/jose/jwk.py#L63
contains an
Generation of Error Message Containing Sensitive Informationvulnerability that allows an attacker to view the victimsSecret Keythat is used to sign tokens. With the secret key an attacker would be able to create and sign valid tokens on the victims site and bypass authentication if JWT's are used for authorizing a user via the HTTPAuthorizationheader for example. I've submitted a fix and PR:https://github.com/mpdavis/python-jose/pull/328
Best regards, mr-n30