vulnerability in indirect import of ecdsa library

okta / okta-sdk-python

Apache License 2.0

229 stars 143 forks source link

vulnerability in indirect import of ecdsa library #395

Closed somurzakov-rbx closed 4 weeks ago

somurzakov-rbx commented 2 months ago

https://security.snyk.io/vuln/SNYK-PYTHON-ECDSA-6184115 https://nvd.nist.gov/vuln/detail/CVE-2024-23342

okta is using python-jose library, which in turn is using ecdsa library. ecdsa package has CVE-2024-23342 and currently has no version that fixes this vuln.

is Okta planning to close this vuln, by removing ecdsa dependency for different library? thanks

nkatomeris-r7 commented 2 months ago

Related issue in python-jose: https://github.com/mpdavis/python-jose/issues/341

The suggestions are to use python-jose[cryptography] or not use python-jose at all.
Using python-jose[cryptography] will, however, still install ecdsa but will not use it.

bryanapellanes-okta commented 4 weeks ago

This should be fixed by #403 . Please submit new issue referencing this one if this is still a problem.