Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cryptographic issues in Python oic
Vulnerability Description
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. 2) JWA `none` algorithm was allowed in all flows. 3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of the implementator. 4) iat claim was not checked for sanity (i.e. it could be in the future). These issues are patched in version 1.2.1.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
缺少必要的密码学步骤
Vulnerability Title
Python oic 安全漏洞
Vulnerability Description
Python是Python基金会的一套开源的、面向对象的程序设计语言。该语言具有可扩展、支持模块和包、支持多种平台等特点。 Python oic 1.2.1之前版本存在安全漏洞,该漏洞源于有几个相关的加密问题会影响使用该库的客户端实现。问题是:1)没有自动检查IdToken签名算法,只有当期望的算法作为kwarg传入时才会检查。2)所有流都允许JWA none 算法。3)oic.consumer.Consumer.parse_authz一个未验证的IdToken。令牌的验证由实现者自行决定。4) iat声
CVSS Information
N/A
Vulnerability Type
N/A