PyPi: Authlib

CVE-2022-39175

Safety vulnerability ID: 51645

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 01, 2022 Updated at Aug 26, 2024

Scan your Python projects for vulnerabilities →

Advisory

Authlib 1.1.0 includes a fix for CVE-2022-39175.
https://github.com/lepture/authlib/commit/80b0808263c6ce88335532b78e62bf2522593390

Affected package

authlib

Latest version: 1.3.2

The ultimate Python library in building OAuth and OpenID Connect servers and clients.

Affected versions

Fixed versions

Vulnerability changelog

-------------

**Released on Sep 13, 2022**

This release contains breaking changes and security fixes.

- Allow to pass ``claims_options`` to Framework OpenID Connect clients, via :gh:`PR446`.
- Fix ``.stream`` with context for HTTPX OAuth clients, via :gh:`PR465`.
- Fix Starlette OAuth client for cache store, via :gh:`PR478`.

**Breaking changes**:

- Raise ``InvalidGrantError`` for invalid code, redirect_uri and no user errors in OAuth
2.0 server.
- The default ``authlib.jose.jwt`` would only work with JSON Web Signature algorithms, if
you would like to use JWT with JWE algorithms, please pass the algorithms parameter::

jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])

**Security fixes**: CVE-2022-39175 and CVE-2022-39174, both related to JOSE.

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39175

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): HIGH
Availability Availability (A): NONE