admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-08 22:18:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CVE-2020-26244 for GHSA-4fjv-pmhg-3rfg

Browse Source
This commit is contained in:
Robert Schultheis 2020-12-02 13:03:38 -07:00
parent 8429b43f7e
commit 6a9aebfa12
No known key found for this signature in database
GPG Key ID: 348C4211B4D8BB40
1 changed files with 94 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
2020/26xxx/CVE-2020-26244.json
View File

@ -1,18 +1,106 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26244",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Cryptographic issues in Python oic"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "pyoidc",
"version": {
"version_data": [
{
"version_value": "< 1.2.1"
}
]
}
}
]
},
"vendor_name": "OpenIDC"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. \n\nThe issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg.\n2) JWA `none` algorithm was allowed in all flows.\n3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of the implementator.\n4) iat claim was not checked for sanity (i.e. it could be in the future).\n\nThese issues are patched in version 1.2.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-325 Missing Required Cryptographic Step"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-347 Improper Verification of Cryptographic Signature"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/OpenIDC/pyoidc/security/advisories/GHSA-4fjv-pmhg-3rfg",
"refsource": "CONFIRM",
"url": "https://github.com/OpenIDC/pyoidc/security/advisories/GHSA-4fjv-pmhg-3rfg"
},
{
"name": "https://pypi.org/project/oic/",
"refsource": "MISC",
"url": "https://pypi.org/project/oic/"
},
{
"name": "https://github.com/OpenIDC/pyoidc/commit/62f8d753fa17c8b1f29f8be639cf0b33afb02498",
"refsource": "MISC",
"url": "https://github.com/OpenIDC/pyoidc/commit/62f8d753fa17c8b1f29f8be639cf0b33afb02498"
},
{
"name": "https://github.com/OpenIDC/pyoidc/releases/tag/1.2.1",
"refsource": "MISC",
"url": "https://github.com/OpenIDC/pyoidc/releases/tag/1.2.1"
}
]
},
"source": {
"advisory": "GHSA-4fjv-pmhg-3rfg",
"discovery": "UNKNOWN"
}
}