CVE-2020-26244

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-26244

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26244.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-26244

Aliases

Related

Published

2020-12-02T20:15:13Z

Modified

2024-10-12T06:24:22.436027Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. 2) JWA none algorithm was allowed in all flows. 3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of the implementator. 4) iat claim was not checked for sanity (i.e. it could be in the future). These issues are patched in version 1.2.1.

References

Affected packages

Git / github.com/cz-nic/pyoidc

Affected ranges

Type: GIT
Repo: https://github.com/cz-nic/pyoidc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

62f8d753fa17c8b1f29f8be639cf0b33afb02498

Type: GIT
Repo: https://github.com/openidc/pyoidc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0bf07d010e224247b6dc7bceb3c04aa328ed263e

Affected versions

0.*

0.4

0.5.0

0.7.0

0.7.7

0.7.8

0.8.0

1.*

1.2.0

v0.*

v0.10.0

v0.11.0

v0.11.1

v0.12.0

v0.13.0

v0.13.1

v0.14.0

v0.15.0

v0.15.1

v0.6.0

v0.7.6

v0.8.5

v0.9.0

v0.9.1

v0.9.4

v0.9.5

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.1.1

v1.1.2