Hello world,
The function construct in
|
def construct(key_data, algorithm=None): |
contains an Generation of Error Message Containing Sensitive Information vulnerability that allows an attacker to view the victims Secret Key that is used to sign tokens. With the secret key an attacker would be able to create and sign valid tokens on the victims site and bypass authentication if JWT's are used for authorizing a user via the HTTP Authorization header for example. I've submitted a fix and PR:
#328
Best regards,
mr-n30
Hello world,
The function
constructinpython-jose/jose/jwk.py
Line 63 in 4b0701b
contains an
Generation of Error Message Containing Sensitive Informationvulnerability that allows an attacker to view the victimsSecret Keythat is used to sign tokens. With the secret key an attacker would be able to create and sign valid tokens on the victims site and bypass authentication if JWT's are used for authorizing a user via the HTTPAuthorizationheader for example. I've submitted a fix and PR:#328
Best regards,
mr-n30