[CVE-2024-23342] python-jose include by default python-ecdsa

[fruch]

this package is using python-jose which in turns bring in python-ecdsa

which has high CVE-2024-23342 see: https://github.com/advisories/GHSA-wj6h-64fc-37mp

see discussion on python-jose: https://github.com/mpdavis/python-jose/issues/341

[leonides-saguisag]

Can remediating this be prioritized? Our security tooling is flagging this vulnerability.

[amancioandre]

Upvoting my colleague request above. Security is flagging this as a high risk vulnerability.

[fruch]

If it was any other package that uses it, but the one gating the security for all of the organization services and tools, this is a little alarming.

Even though this package won't be used when cryptography is installed, it's not trivial for anyone to make sure it's not

[mdowling17]

@Okta pyjwt is a good alternative to python-jose.

[mrdcbrush]

There is a workaround If you do not need the JWT and JSK methods of the SDK.

The following Okta SDK dependencies can be uninstalled.

python-jose ecdsa pyasn1 rsa six

After uninstalling those libraries you can comment out lines 3 and 4 in: ./okta/jwt.py

3 # import jose.jwk as jwk 4 # import jose.jwt as jwt

[fruch]

There is a workaround If you do not need the JWT and JSK methods of the SDK.

The following Okta SDK dependencies can be uninstalled.

python-jose ecdsa pyasn1 rsa six

After uninstalling those libraries you can comment out lines 3 and 4 in: ./okta/jwt.py

3 # import jose.jwk as jwk 4 # import jose.jwt as jwt

Thanks @mrdcbrush, it would make sure it doesn't use that library, yes.

But lots of the tooling which are just gonna read your requirements.txt or lock files, would still gonna warn about this.

I would expect OKTA to find a better solution, and not such that we need to have extra steps after installing and patching the code.

[bryanapellanes-okta]

This should be fixed by #403. Please submit new issue referencing this one if this is still a problem.