CVE-2017-11424

Priority
Medium
Description
In PyJWT 1.5.0 and below the `invalid_strings` check in
`HMACAlgorithm.prepare_key` does not account for all PEM encoded public
keys. Specifically, the PKCS1 PEM encoded format would be allowed because
it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is
not accounted for. This enables symmetric/asymmetric key confusion attacks
against users using the PKCS1 PEM encoded public keys, which would allow an
attacker to craft JWTs from scratch.
References
Notes
 tyhicks> The added deprecation warnings present in the fix probably aren't
  needed in security backports
Assigned-to
leosilva
Package
Source: pyjwt (LP Ubuntu Debian)
Upstream:needed
Ubuntu 17.10 (Artful Aardvark):released (1.4.2-1ubuntu1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (1.3.0-1ubuntu0.1)
Ubuntu 17.04 (Zesty Zapus):released (1.4.2-1ubuntu0.1)
Patches:
Upstream:https://github.com/jpadilla/pyjwt/pull/277
More Information

Updated: 2017-09-01 11:14:13 UTC (commit 13242)