Nixpkgs security tracker
Activity log
- Created suggestion
Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.
References
Affected products
- ==>= 1.6.5, < 1.6.7
Matching in nixpkgs
pkgs.python312Packages.authlib
Library for building OAuth and OpenID Connect servers
pkgs.python313Packages.authlib
Library for building OAuth and OpenID Connect servers
pkgs.python314Packages.authlib
Library for building OAuth and OpenID Connect servers
pkgs.python312Packages.oauthlib
Generic, spec-compliant, thorough implementation of the OAuth request-signing logic
pkgs.python313Packages.oauthlib
Generic, spec-compliant, thorough implementation of the OAuth request-signing logic
pkgs.python314Packages.oauthlib
Generic, spec-compliant, thorough implementation of the OAuth request-signing logic
pkgs.python312Packages.hawkauthlib
Hawk Access Authentication protocol
pkgs.python313Packages.hawkauthlib
Hawk Access Authentication protocol
pkgs.python314Packages.hawkauthlib
Hawk Access Authentication protocol
pkgs.python312Packages.aiohttp-oauthlib
oauthlib integration for aiohttp clients
pkgs.python313Packages.aiohttp-oauthlib
oauthlib integration for aiohttp clients
pkgs.python314Packages.aiohttp-oauthlib
oauthlib integration for aiohttp clients
pkgs.python312Packages.requests-oauthlib
OAuthlib authentication support for Requests
pkgs.python313Packages.requests-oauthlib
OAuthlib authentication support for Requests
pkgs.python314Packages.requests-oauthlib
OAuthlib authentication support for Requests
pkgs.python312Packages.google-auth-oauthlib
Google Authentication Library: oauthlib integration
pkgs.python313Packages.google-auth-oauthlib
Google Authentication Library: oauthlib integration
pkgs.python314Packages.google-auth-oauthlib
Google Authentication Library: oauthlib integration
Package maintainers
-
@sumnerevans Sumner Evans <me@sumnerevans.com>
-
@flokli Florian Klink <flokli@flokli.de>
-
@terlar Terje Larsen <terlar@gmail.com>
-
@prikhi Pavan Rikhi <pavan.rikhi@gmail.com>
-
@sarahec Sarah Clark <seclark@nextquestion.net>