{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"python-jwt security update", "category":"general", "title":"Synopsis" }, { "text":"An update for python-jwt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.", "category":"general", "title":"Summary" }, { "text":"PyJWT is a Python library which allows you to encode and decode JSON Web Tokens (JWT). \\ JWT is an open, industry-standard (RFC 7519) for representing claims securely between two parties.\n\nSecurity Fix(es):\n\nPyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.(CVE-2022-29217)", "category":"general", "title":"Description" }, { "text":"An update for python-jwt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"python-jwt", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2022-1710", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1710" }, { "summary":"CVE-2022-29217", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-29217&packageName=python-jwt" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29217" }, { "summary":"openEuler-SA-2022-1710 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2022/csaf-openeuler-sa-2022-1710.json" } ], "title":"An update for python-jwt is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS", "tracking":{ "initial_release_date":"2022-06-17T09:41:11+08:00", "revision_history":[ { "date":"2022-06-17T09:41:11+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:41:11+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:41:11+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:41:11+08:00", "id":"openEuler-SA-2022-1710", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"openEuler-20.03-LTS-SP3", "name":"openEuler-20.03-LTS-SP3" }, "name":"openEuler-20.03-LTS-SP3", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"openEuler-22.03-LTS", "name":"openEuler-22.03-LTS" }, "name":"openEuler-22.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"python2-jwt-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"python2-jwt-1.7.1-3.oe1.noarch.rpm" }, "name":"python2-jwt-1.7.1-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"python3-jwt-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"python3-jwt-1.7.1-3.oe1.noarch.rpm" }, "name":"python3-jwt-1.7.1-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"python-jwt-help-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"python-jwt-help-1.7.1-3.oe1.noarch.rpm" }, "name":"python-jwt-help-1.7.1-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"python-jwt-help-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP3)", "name":"python-jwt-help-1.7.1-3.oe1.noarch.rpm" }, "name":"python-jwt-help-1.7.1-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"python2-jwt-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP3)", "name":"python2-jwt-1.7.1-3.oe1.noarch.rpm" }, "name":"python2-jwt-1.7.1-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"python3-jwt-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP3)", "name":"python3-jwt-1.7.1-3.oe1.noarch.rpm" }, "name":"python3-jwt-1.7.1-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"python3-jwt-2.3.0-3.oe2203.noarch.rpm", "name":"python3-jwt-2.3.0-3.oe2203.noarch.rpm" }, "name":"python3-jwt-2.3.0-3.oe2203.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"python-jwt-help-2.3.0-3.oe2203.noarch.rpm", "name":"python-jwt-help-2.3.0-3.oe2203.noarch.rpm" }, "name":"python-jwt-help-2.3.0-3.oe2203.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"python-jwt-1.7.1-3.oe1.src.rpm(20.03-LTS-SP1)", "name":"python-jwt-1.7.1-3.oe1.src.rpm" }, "name":"python-jwt-1.7.1-3.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"python-jwt-1.7.1-3.oe1.src.rpm(20.03-LTS-SP3)", "name":"python-jwt-1.7.1-3.oe1.src.rpm" }, "name":"python-jwt-1.7.1-3.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"python-jwt-2.3.0-3.oe2203.src.rpm", "name":"python-jwt-2.3.0-3.oe2203.src.rpm" }, "name":"python-jwt-2.3.0-3.oe2203.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"python2-jwt-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:python2-jwt-1.7.1-3.oe1.noarch", "name":"python2-jwt-1.7.1-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"python3-jwt-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:python3-jwt-1.7.1-3.oe1.noarch", "name":"python3-jwt-1.7.1-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"python-jwt-help-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:python-jwt-help-1.7.1-3.oe1.noarch", "name":"python-jwt-help-1.7.1-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"python-jwt-help-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:python-jwt-help-1.7.1-3.oe1.noarch", "name":"python-jwt-help-1.7.1-3.oe1.noarch as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"python2-jwt-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:python2-jwt-1.7.1-3.oe1.noarch", "name":"python2-jwt-1.7.1-3.oe1.noarch as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"python3-jwt-1.7.1-3.oe1.noarch.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:python3-jwt-1.7.1-3.oe1.noarch", "name":"python3-jwt-1.7.1-3.oe1.noarch as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"python3-jwt-2.3.0-3.oe2203.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:python3-jwt-2.3.0-3.oe2203.noarch", "name":"python3-jwt-2.3.0-3.oe2203.noarch as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"python-jwt-help-2.3.0-3.oe2203.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:python-jwt-help-2.3.0-3.oe2203.noarch", "name":"python-jwt-help-2.3.0-3.oe2203.noarch as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"python-jwt-1.7.1-3.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:python-jwt-1.7.1-3.oe1.src", "name":"python-jwt-1.7.1-3.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"python-jwt-1.7.1-3.oe1.src.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:python-jwt-1.7.1-3.oe1.src", "name":"python-jwt-1.7.1-3.oe1.src as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"python-jwt-2.3.0-3.oe2203.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:python-jwt-2.3.0-3.oe2203.src", "name":"python-jwt-2.3.0-3.oe2203.src as a component of openEuler-22.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2022-29217", "notes":[ { "text":"PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:python2-jwt-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP1:python3-jwt-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP1:python-jwt-help-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP3:python-jwt-help-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP3:python2-jwt-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP3:python3-jwt-1.7.1-3.oe1.noarch", "openEuler-22.03-LTS:python3-jwt-2.3.0-3.oe2203.noarch", "openEuler-22.03-LTS:python-jwt-help-2.3.0-3.oe2203.noarch", "openEuler-20.03-LTS-SP1:python-jwt-1.7.1-3.oe1.src", "openEuler-20.03-LTS-SP3:python-jwt-1.7.1-3.oe1.src", "openEuler-22.03-LTS:python-jwt-2.3.0-3.oe2203.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:python2-jwt-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP1:python3-jwt-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP1:python-jwt-help-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP3:python-jwt-help-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP3:python2-jwt-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP3:python3-jwt-1.7.1-3.oe1.noarch", "openEuler-22.03-LTS:python3-jwt-2.3.0-3.oe2203.noarch", "openEuler-22.03-LTS:python-jwt-help-2.3.0-3.oe2203.noarch", "openEuler-20.03-LTS-SP1:python-jwt-1.7.1-3.oe1.src", "openEuler-20.03-LTS-SP3:python-jwt-1.7.1-3.oe1.src", "openEuler-22.03-LTS:python-jwt-2.3.0-3.oe2203.src" ], "details":"python-jwt security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1710" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.4, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:python2-jwt-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP1:python3-jwt-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP1:python-jwt-help-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP3:python-jwt-help-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP3:python2-jwt-1.7.1-3.oe1.noarch", "openEuler-20.03-LTS-SP3:python3-jwt-1.7.1-3.oe1.noarch", "openEuler-22.03-LTS:python3-jwt-2.3.0-3.oe2203.noarch", "openEuler-22.03-LTS:python-jwt-help-2.3.0-3.oe2203.noarch", "openEuler-20.03-LTS-SP1:python-jwt-1.7.1-3.oe1.src", "openEuler-20.03-LTS-SP3:python-jwt-1.7.1-3.oe1.src", "openEuler-22.03-LTS:python-jwt-2.3.0-3.oe2203.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2022-29217" } ] }