Amazon Linux 2023 Security Advisory: ALAS-2023-076
Advisory Release Date: 2023-02-17 20:46 Pacific
Advisory Updated Date: 2023-02-22 23:31 Pacific
Severity:
Medium
Issue Overview:
A vulnerability was found in python-jwt. This issue happens when PyJWT supports multiple different JWT signing algorithms. This flaw allows an attacker submitting the JWT token to choose the used signing algorithm, leading to key confusion through non-blocklisted public key formats. (CVE-2022-29217)
Affected Packages:
python-jwt
Issue Correction:
Run dnf update python-jwt --releasever=2023.0.20230222 to update your system.
New Packages:
noarch:
python3-jwt+crypto-2.4.0-1.amzn2023.0.1.noarch
python3-jwt-2.4.0-1.amzn2023.0.1.noarch
src:
python-jwt-2.4.0-1.amzn2023.0.1.src