Python-jwt subject to Authentication Bypass by Spoofing

python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

使用欺骗进行的认证绕过

python-jwt 安全漏洞

python-jwt是David Halls个人开发者的一个用于生成和验证 JSON Web 令牌的 Python 模块。 python-jwt 3.3.4之前版本存在安全漏洞，该漏洞源于受到欺骗绕过身份验证的影响，从而导致身份欺骗、会话劫持或绕过身份验证。

N/A

N/A