Python dependency PyJWT introduces potiential vulnerability - Githubissues

nccgroup / ScoutSuite

Multi-Cloud Security Auditing Tool

GNU General Public License v2.0

6.68k stars 1.06k forks source link

Python dependency PyJWT introduces potiential vulnerability #1437

Open johnwaghorn opened 2 years ago

johnwaghorn commented 2 years ago

Describe the bug

The Python dependency "PyJWT==1.7.1" of Scout Suite introduces a potiental vulnerability [CVE-2022-29217]
This is set in the requirements.txt file with a comment to 'FIXME '
The CVE for PyJWT has been patched in a later version of PyJWT, version 2.4.0

To Reproduce

pip install scoutsuite

Additional Notes

I understand it won't be as simple as just upgrading the package but please can this be looked into. Dependabot alerts get annoying for such things and your tool is useful.

Rashmi-AnonymousNot commented 2 years ago

Hi @fernando-gallego @johnwaghorn, I have looked into scoutsuite and would like to contribute to fixing this issue. If possible, can you assign this issue to me?