Closed fruch closed 4 weeks ago
Can remediating this be prioritized? Our security tooling is flagging this vulnerability.
Upvoting my colleague request above. Security is flagging this as a high risk vulnerability.
If it was any other package that uses it, but the one gating the security for all of the organization services and tools, this is a little alarming.
Even though this package won't be used when cryptography is installed, it's not trivial for anyone to make sure it's not
@Okta pyjwt is a good alternative to python-jose.
There is a workaround If you do not need the JWT and JSK methods of the SDK.
The following Okta SDK dependencies can be uninstalled.
python-jose ecdsa pyasn1 rsa six
After uninstalling those libraries you can comment out lines 3 and 4 in: ./okta/jwt.py
3 # import jose.jwk as jwk 4 # import jose.jwt as jwt
There is a workaround If you do not need the JWT and JSK methods of the SDK.
The following Okta SDK dependencies can be uninstalled.
python-jose ecdsa pyasn1 rsa six
After uninstalling those libraries you can comment out lines 3 and 4 in: ./okta/jwt.py
3 # import jose.jwk as jwk 4 # import jose.jwt as jwt
Thanks @mrdcbrush, it would make sure it doesn't use that library, yes.
But lots of the tooling which are just gonna read your requirements.txt or lock files, would still gonna warn about this.
I would expect OKTA to find a better solution, and not such that we need to have extra steps after installing and patching the code.
This should be fixed by #403. Please submit new issue referencing this one if this is still a problem.
this package is using
python-jose
which in turns bring inpython-ecdsa
which has high CVE-2024-23342 see: https://github.com/advisories/GHSA-wj6h-64fc-37mp
see discussion on
python-jose
: https://github.com/mpdavis/python-jose/issues/341