SOLVED: CVE-2024-23342 ecdsa may be vulnerable to the Minerva attack

[martimors]

Seems we have a dependency with a security flaw https://www.cve.org/CVERecord?id=CVE-2024-23342. Did anyone assess the risk associated with using the fastapi-azure-auth library with this dependency?

According to the maintainer it's a "wontfix" tlsfuzzer/python-ecdsa#330 (comment) so if it is unsafe we should probably switch to a non-pure python implementation of string comparisons.

[JonasKs]

We already use cryptography as the backend, and do not allow our users to configure it. There is no impact for our users of this library. The reason we get this warning is because Python-Jose allow you to configure backends, and ecdsa is one for them.

How ever, Python-Jose seems to be pretty un maintained, which raises an argument to switch to PyJWT. I'll close this issue, but this discussion can be continued if we/anyone see a need to migrate.

[JonasKs]

mpdavis/python-jose#341 (comment)

[JonasKs]

Pinning, since I keep getting emails about this.