Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims (e.g., is_admin=true) and bypass authentication checks, leading to privilege escalation or unauthorized access in applications that rely on python-jose for token validation. This issue is exploitable unless developers explicitly reject 'alg=none' tokens, which is not enforced by the library. NOTE: all parties agree that the issue is not relevant because it only occurs in a "verify_signature": False situation.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
python-jose 安全漏洞
Vulnerability Description
python-jose是Michael Davis个人开发者的一个 Python 中的 JOSE 实现。 python-jose 3.3.0及之前版本存在安全漏洞,该漏洞源于未强制执行alg=none令牌拒绝,可能导致绕过身份验证检查,进而导致权限提升或未经授权的访问。
CVSS Information
N/A
Vulnerability Type
N/A