Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability with python-jose #1616

Closed
TaylorNQT opened this issue May 14, 2024 · 2 comments
Closed

Vulnerability with python-jose #1616

TaylorNQT opened this issue May 14, 2024 · 2 comments
Labels
open issue A validated issue that should be tackled. Comment if you'd like it assigned to you.

Comments

@TaylorNQT
Copy link

There is currently an issue with the python-jose package as described here.

Potential fix is to replace with PyJWT.
@pamelafox
Copy link
Collaborator

cc @mattgotteiner

It looks like our usage should not be affected by the vulnerability, since we do specify an algorithm:

azure-search-openai-demo/app/backend/core/authentication.py

Line 343 in 3822c52

jwt.decode(token, rsa_key, algorithms=["RS256"], audience=audience, issuer=issuer)

Let me know if you think otherwise.

We're also aware that python-jose is generally unmaintained, but last I checked, pyJWT was still missing a feature that we needed to be able to move over to it. Happy to be corrected if it's a suitable substitute now.

Thanks so much for filing.

@pamelafox pamelafox added the open issue A validated issue that should be tackled. Comment if you'd like it assigned to you. label May 16, 2024
@TaylorNQT
Copy link
Author

That's OK, I just wanted to make you aware :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
open issue A validated issue that should be tackled. Comment if you'd like it assigned to you.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pamelafox @TaylorNQT