CVE-2022-29217
JWT Algorithm Confusion vulnerability in pyjwt (PyPI)
What is CVE-2022-29217 About?
This vulnerability is an algorithm confusion issue in PyJWT, allowing an attacker to choose the signing algorithm for a JWT token, potentially bypassing signature verification. The impact is that an attacker could forge tokens that appear legitimate to the relying application. Exploitation is moderate, requiring specific application misconfiguration.
Affected Software
- pyjwt
- >=1.5.0, <2.4.0
- <9c528670c455b8d948aff95ed50e22940d1ad3fc
Technical Details
PyJWT is a Python library for JSON Web Token (JWT) implementation. The vulnerability arises when an application is configured to accept a broad range of algorithms, specifically by using jwt.algorithms.get_default_algorithms() or allowing algorithms like 'none'. Although the 'none' algorithm is typically prevented by default in recent PyJWT versions, the core issue is that if the application does not explicitly specify a restricted set of accepted algorithms, an attacker can specify a less secure or even an unsigned algorithm in the JWT header. If the application then uses this algorithm for verification, it might treat an unsigned (or weakly signed) token as valid, bypassing intended security checks. This grants the attacker the ability to forge tokens that are accepted by the victim application.
What is the Impact of CVE-2022-29217?
Successful exploitation may allow attackers to bypass authentication and authorization mechanisms by forging valid-looking JWT tokens, leading to unauthorized access to sensitive information or functionalities.
What is the Exploitability of CVE-2022-29217?
Exploitation complexity is moderate, relying on a specific misconfiguration in the consuming application's JWT decoding logic. No authentication is strictly required to craft and submit the malicious token, but the attacker needs to interact with an endpoint that processes JWTs. No special privileges are necessary beyond the ability to send requests to the application. This is typically a remote vulnerability. The key prerequisite is that the target application explicitly uses jwt.algorithms.get_default_algorithms() for JWT decoding or allows for algorithm negotiation, thereby trusting the algorithm specified by the attacker in the JWT header. The risk factor increases significantly if applications are implemented without explicitly defining a strong and limited set of accepted signing algorithms.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-29217?
About the Fix from Resolved Security
Available Upgrade Options
- pyjwt
- >=1.5.0, <2.4.0 → Upgrade to 2.4.0
- pyjwt
- <9c528670c455b8d948aff95ed50e22940d1ad3fc → Upgrade to 9c528670c455b8d948aff95ed50e22940d1ad3fc
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
- https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
- https://github.com/jpadilla/pyjwt
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PK7IQCBVNLYJEFTPHBBPFP72H4WUFNX/
- https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2022-202.yaml
- https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
- https://github.com/jpadilla/pyjwt/releases/tag/2.4.0
- https://nvd.nist.gov/vuln/detail/CVE-2022-29217
- https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
What are Similar Vulnerabilities to CVE-2022-29217?
Similar Vulnerabilities: CVE-2016-5431 , CVE-2017-0027 , CVE-2015-8472 , CVE-2018-0495
