Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerability in indirect import of ecdsa library #395

Closed
somurzakov-rbx opened this issue Apr 3, 2024 · 2 comments
Closed

vulnerability in indirect import of ecdsa library #395

somurzakov-rbx opened this issue Apr 3, 2024 · 2 comments

Comments

@somurzakov-rbx
Copy link

https://security.snyk.io/vuln/SNYK-PYTHON-ECDSA-6184115
https://nvd.nist.gov/vuln/detail/CVE-2024-23342

okta is using python-jose library, which in turn is using ecdsa library.
ecdsa package has CVE-2024-23342 and currently has no version that fixes this vuln.

is Okta planning to close this vuln, by removing ecdsa dependency for different library? thanks
@somurzakov-rbx somurzakov-rbx changed the title vulnerable ecdsa package vulnerability in indirect import of ecdsa library Apr 3, 2024
@nkatomeris-r7
Copy link

Related issue in python-jose: mpdavis/python-jose#341

  • The suggestions are to use python-jose[cryptography] or not use python-jose at all.
  • Using python-jose[cryptography] will, however, still install ecdsa but will not use it.

@agburch agburch mentioned this issue May 15, 2024
Merged
@bryanapellanes-okta
Copy link
Contributor

This should be fixed by #403 . Please submit new issue referencing this one if this is still a problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bryanapellanes-okta @nkatomeris-r7 @somurzakov-rbx