Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2024-23342] python-jose include by default python-ecdsa #388

Closed
fruch opened this issue Feb 26, 2024 · 7 comments
Closed

[CVE-2024-23342] python-jose include by default python-ecdsa #388

fruch opened this issue Feb 26, 2024 · 7 comments

Comments

@fruch
Copy link

fruch commented Feb 26, 2024

this package is using python-jose which in turns bring in python-ecdsa

which has high CVE-2024-23342
see:
GHSA-wj6h-64fc-37mp

see discussion on python-jose:
mpdavis/python-jose#341
@leonides-saguisag
Copy link

Can remediating this be prioritized? Our security tooling is flagging this vulnerability.

@amancioandre
Copy link

Upvoting my colleague request above. Security is flagging this as a high risk vulnerability.

@fruch
Copy link
Author

fruch commented Mar 3, 2024

If it was any other package that uses it, but the one gating the security for all of the organization services and tools, this is a little alarming.

Even though this package won't be used when cryptography is installed, it's not trivial for anyone to make sure it's not

@mdowling17
Copy link

mdowling17 commented Mar 4, 2024
edited
Loading

@okta pyjwt is a good alternative to python-jose.

@mrdcbrush
Copy link

mrdcbrush commented Apr 2, 2024
edited
Loading

There is a workaround If you do not need the JWT and JSK methods of the SDK.

The following Okta SDK dependencies can be uninstalled.

python-jose
ecdsa
pyasn1
rsa
six

After uninstalling those libraries you can comment out lines 3 and 4 in:
./okta/jwt.py

3 # import jose.jwk as jwk
4 # import jose.jwt as jwt

@fruch
Copy link
Author

fruch commented Apr 3, 2024

There is a workaround If you do not need the JWT and JSK methods of the SDK.

The following Okta SDK dependencies can be uninstalled.

python-jose
ecdsa
pyasn1
rsa
six

After uninstalling those libraries you can comment out lines 3 and 4 in:
./okta/jwt.py

3 # import jose.jwk as jwk
4 # import jose.jwt as jwt

Thanks @mrdcbrush, it would make sure it doesn't use that library, yes.

But lots of the tooling which are just gonna read your requirements.txt or lock files, would still gonna warn about this.

I would expect OKTA to find a better solution, and not such that we need to have extra steps after installing and patching the code.

@agburch agburch mentioned this issue May 15, 2024
Merged
@bryanapellanes-okta
Copy link
Contributor

This should be fixed by #403. Please submit new issue referencing this one if this is still a problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@fruch @mrdcbrush @mdowling17 @amancioandre @bryanapellanes-okta @leonides-saguisag