CVE-2024-53861
CVSS 3.1 Score 2.2 of 10 (low)
Details
Summary
CVE-2024-53861 is a vulnerability affecting the pyjwt Python library, specifically versions 2.10.0 and earlier. The issue arises from a misconfiguration in claim checking, where an incorrect string comparison is used for the `iss` claim. This allows the string "acb" to be accepted for the expected value "__abc__". The vulnerability stems from a change in the check from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`, which inadvertently enables `in` operator usage for string comparisons. Although signature checks remain in place, denial of service scenarios are a significant concern. Users are advised to upgrade to version 2.10.1 to address this vulnerability, as no known workarounds are available.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.