Critical severityNVD Advisory· Published Sep 23, 2022· Updated Aug 3, 2024
Python-jwt subject to Authentication Bypass by Spoofing
CVE-2022-39227
Description
python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
python-jwtPyPI | < 3.3.4 | 3.3.4 |
Affected products
2- davedoesdev/python-jwtv5Range: < 3.3.4
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-5p8v-58qm-c7fpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39227ghsaADVISORY
- github.com/davedoesdev/python-jwt/commit/6c5075469847b9e8b6e5336077d989d77a4d2bf1ghsaWEB
- github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9ghsaWEB
- github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fpghsaWEB
- github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yamlghsaWEB
- www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwtghsaWEB
News mentions
0No linked articles in our index yet.