#VU103946 Incorrect Comparison in pyjwt - CVE-2024-53861

Cybersecurity Help s.r.o.

Published: 2025-02-13

Vulnerability identifier: #VU103946

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-53861

CWE-ID: CWE-697

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pyjwt
Other software / Other software solutions

Vendor: jpadilla (José Padilla)

Description

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to an incorrect string comparison being run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. A remote attacker can trigger incorrect comparisons and modify data on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pyjwt: 2.10.0

External links
https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366
https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Incorrect Comparison in jpadilla pyjwt