Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-39227

Good to know:

icon
icon

Date: September 23, 2022

python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

Language: Python

Severity Score

Related Resources (8)

https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9
https://github.com/davedoesdev/python-jwt/commit/6c5075469847b9e8b6e5336077d989d77a4d2bf1
https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp
https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt
https://nvd.nist.gov/vuln/detail/CVE-2022-39227
https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml
https://github.com/davedoesdev/python-jwt
https://www.mend.io/vulnerability-database/CVE-2022-39227

Severity Score

Weakness Type (CWE)

Authentication Bypass by Spoofing

CWE-290

Top Fix

icon

Upgrade Version

Upgrade to version python-jwt - 3.3.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us