Vulnerability on dependency (ecdsa), not planned to be fixed #341
Comments
Merinorus
changed the title
|
I was also brought here by security alerts this morning. From the python-ecdsa security policy, which the maintainers cite in their reply:
So I would ask, what is it being used for in this project? Edit: It seems this repository is abandoned (#332). The solution is to get away from python-jose as a dependency. My team's requirements are met by PyJWT which is 4x more popular (by stars) but has 5x fewer open issues. |
This project allow you to use multiple backends, one of them is cryptography, as is the solution suggested solution. It’s all there, in the README: https://github.com/mpdavis/python-jose?tab=readme-ov-file#cryptographic-backends In other words, ensure you’re using the |
|
guess it makes more sense to just migrate to https://github.com/jpadilla/pyjwt |
|
hello, The dependence on this library on ecdsa exposes us to several attacks : ecdsa Missing Encryption of Sensitive Data [CVSS 7.4] The ECDSA is not maintained and not built for production: Why you are still using it, can you please dispose of it? I think if you continue to use them you also need to add the following note to your project: " NOTE: This library should not be used in production settings, see Security for more details." please help the world to be a safer |
|
@yaronbenezra , did you even read my reply? |
|
Perhaps a stupid question: If it works with other backends, why not removing ecdsa backend? |
|
The package is not maintained, so no changes can be done to it. |
|
Anyone know how to replace jose's I documented other migration steps at jpadilla/pyjwt#942 |
Hello,
The
ecdsapackage is a requirement for this project. There is a vulnerability affecting the latest version (0.18.0), but the maintainers don't plan to fix it.More information here: GHSA-wj6h-64fc-37mp
The text was updated successfully, but these errors were encountered: