CVE-2024-33663
Authentication Bypass vulnerability in python-jose (PyPI)
What is CVE-2024-33663 About?
python-jose through 3.3.0 is vulnerable to an algorithm confusion vulnerability when processing OpenSSH ECDSA keys and other key formats. This allows an attacker to bypass authentication or signature verification on JSON Web Tokens (JWTs). Exploiting this is relatively easy for an attacker who can control the algorithm parameter in a JWT.
Affected Software
Technical Details
The vulnerability in python-jose version 3.3.0 and earlier is an algorithm confusion issue, specifically affecting how it handles OpenSSH ECDSA keys alongside other key formats, similar to CVE-2022-29217. When a JSON Web Token (JWT) is submitted for verification, an attacker can tamper with the alg (algorithm) header in the JWT. For example, they might change a strong asymmetric algorithm (like RSA or ECDSA) to a weak symmetric algorithm (like HMAC-SHA256). If python-jose processes an OpenSSH ECDSA public key, it might accept a JWT signed with HMAC-SHA256, where the attacker can sign the token using the public key itself as the secret. This allows the attacker to forge valid JWTs, bypassing signature verification and subsequently authentication or authorization.
What is the Impact of CVE-2024-33663?
Successful exploitation may allow attackers to forge valid authentication tokens, bypass security validation, and gain unauthorized access to protected resources or impersonate legitimate users.
What is the Exploitability of CVE-2024-33663?
Exploitation is of moderate complexity. It requires an attacker to craft a malicious JSON Web Token (JWT) where the 'alg' (algorithm) header is manipulated to exploit the algorithm confusion. No specific authentication is required to attempt the exploit, as the goal is to bypass the existing authentication mechanism. Remote access is typical for this kind of vulnerability, as JWTs are often exchanged over network requests. The special condition is that the application must use python-jose for JWT validation, and the vulnerable version must be processing tokens potentially signed with attacker-controlled algorithms or using public keys that can be re-interpreted as symmetric secrets. The risk factors that increase exploitation likelihood are insufficient validation of JWT headers (especially alg) and applications that accept JWTs from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-33663?
Available Upgrade Options
- python-jose
- <3.4.0 → Upgrade to 3.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-33663
- https://github.com/mpdavis/python-jose/issues/346
- https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663
- https://github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2024-232.yaml
- https://osv.dev/vulnerability/GHSA-6c5p-j8vq-pqhj
- https://github.com/mpdavis/python-jose/issues/346
- https://github.com/mpdavis/python-jose/issues/346
- https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663
- https://github.com/mpdavis/python-jose
What are Similar Vulnerabilities to CVE-2024-33663?
Similar Vulnerabilities: CVE-2022-29217 , CVE-2020-22129 , CVE-2019-14876 , CVE-2018-0498 , CVE-2017-10115
