Safety vulnerability ID: 39221
The information on this page was manually curated by our Cybersecurity Intelligence Team.
In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library.
The issues are:
1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg.
2) JWA `none` algorithm was allowed in all flows.
3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of the implementator.
4) iat claim was not checked for sanity (i.e. it could be in the future).
See CVE-2020-26244.
Latest version: 1.7.0
Python implementation of OAuth2 and OpenID Connect
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. 2) JWA `none` algorithm was allowed in all flows. 3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of the implementator. 4) iat claim was not checked for sanity (i.e. it could be in the future). These issues are patched in version 1.2.1. See CVE-2020-26244.
CONFIRM:https://github.com/OpenIDC/pyoidc/security/advisories/GHSA-4fjv-pmhg-3rfg: https://github.com/OpenIDC/pyoidc/security/advisories/GHSA-4fjv-pmhg-3rfg
MISC:https://github.com/OpenIDC/pyoidc/commit/62f8d753fa17c8b1f29f8be639cf0b33afb02498: https://github.com/OpenIDC/pyoidc/commit/62f8d753fa17c8b1f29f8be639cf0b33afb02498
MISC:https://github.com/OpenIDC/pyoidc/releases/tag/1.2.1: https://github.com/OpenIDC/pyoidc/releases/tag/1.2.1
MISC:https://pypi.org/project/oic/: https://pypi.org/project/oic/
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application