search

opentok / Opentok-Python-SDK

OpenTok Python SDK
https://tokbox.com/developer/sdks/python/
MIT License
73 stars 82 forks source link

python_jose-3.3.0-py2.py3-none-any.whl: 2 vulnerabilities (highest severity is: 6.5) #234

Open mend-for-github-com[bot] opened 4 months ago

mend-for-github-com[bot] commented 4 months ago
Vulnerable Library - python_jose-3.3.0-py2.py3-none-any.whl

JOSE implementation in Python

Library home page: https://files.pythonhosted.org/packages/bd/2d/e94b2f7bab6773c70efc70a61d66e312e1febccd9e0db6b9e0adf58cbad1/python_jose-3.3.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Opentok-Python-SDK,/sample/HelloWorld/requirements.txt

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (python_jose version) Remediation Possible** Reachability
CVE-2024-33663 Medium 6.5 Not Defined 0.0% python_jose-3.3.0-py2.py3-none-any.whl Direct N/A
CVE-2024-33664 Medium 5.3 Not Defined 0.0% python_jose-3.3.0-py2.py3-none-any.whl Direct N/A

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-33663 ### Vulnerable Library - python_jose-3.3.0-py2.py3-none-any.whl

JOSE implementation in Python

Library home page: https://files.pythonhosted.org/packages/bd/2d/e94b2f7bab6773c70efc70a61d66e312e1febccd9e0db6b9e0adf58cbad1/python_jose-3.3.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Opentok-Python-SDK,/sample/HelloWorld/requirements.txt

Dependency Hierarchy: - :x: **python_jose-3.3.0-py2.py3-none-any.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

Publish Date: 2024-04-25

URL: CVE-2024-33663

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2024-33664 ### Vulnerable Library - python_jose-3.3.0-py2.py3-none-any.whl

JOSE implementation in Python

Library home page: https://files.pythonhosted.org/packages/bd/2d/e94b2f7bab6773c70efc70a61d66e312e1febccd9e0db6b9e0adf58cbad1/python_jose-3.3.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/Opentok-Python-SDK,/sample/HelloWorld/requirements.txt

Dependency Hierarchy: - :x: **python_jose-3.3.0-py2.py3-none-any.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

Publish Date: 2024-04-25

URL: CVE-2024-33664

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

asixela commented 2 weeks ago

Hello, Do you know if these vulnerabilities will be fixed soon ?

Thanks