Open jusdino opened 6 months ago
lewisdoesstuff
commented
5 months ago before CVEs start dropping up against the abandoned library.
Looks like that's now, found in python-ecdsa.
Are there any plans to use the cryptography build of python-jose, or migrate?
rsb177
commented
4 months ago @bretterer any updates on this? Does Okta have a migration plan? Or should we switch to a new library altogether?
lewisdoesstuff
commented
2 months ago Yet more vulnerabilities discovered in python-jose.
We could really do with a PyJWT build of this
developingAlex
commented
1 month ago It looks like the implementation mitigates this vulnerability (at least from what I looked into for the AccessTokenVerifier)
since calling verify_access_token it will assert that the supplied header algorithm is set to RS256 (NOT HS256 which is the dangerous one) and raises a JWTValidationException if it finds it set to anything other than that.
furthermore it then goes on to verify the signature and is explicit about using the RS256 algorithm (not leaving it up to the unsafe default of HS256)
lukehsiao
commented
1 month ago @developingAlex which vulnerability are you looking at exactly? There are a few. For example https://github.com/mpdavis/python-jose/issues/344 is https://github.com/advisories/GHSA-cjwg-qfpm-7377, and as far as I understand, is not necessarily related to the algorithm chosen.
developingAlex
commented
1 month ago Sorry I was referring only to this python-jose issue description.
Hey - just a heads-up that it appears this library is using
python-joseas a dependency, which hasn't been updated in ~2 years. Maintainers haven't shown any activity in GitHub for issues or pull requests in quite a while, either. It would probably be prudent to pivot to PyJWT or JWCrypto, before CVEs start cropping up against the abandoned library.