New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability on dependency (ecdsa), not planned to be fixed #341
Comments
I was also brought here by security alerts this morning. From the python-ecdsa security policy, which the maintainers cite in their reply:
So I would ask, what is it being used for in this project? Edit: It seems this repository is abandoned (#332). The solution is to get away from python-jose as a dependency. My team's requirements are met by PyJWT which is 4x more popular (by stars) but has 5x fewer open issues. |
This project allow you to use multiple backends, one of them is cryptography, as is the solution suggested solution. It’s all there, in the README: https://github.com/mpdavis/python-jose?tab=readme-ov-file#cryptographic-backends In other words, ensure you’re using the |
guess it makes more sense to just migrate to https://github.com/jpadilla/pyjwt |
hello, The dependence on this library on ecdsa exposes us to several attacks : ecdsa Missing Encryption of Sensitive Data [CVSS 7.4] The ECDSA is not maintained and not built for production: Why you are still using it, can you please dispose of it? I think if you continue to use them you also need to add the following note to your project: " NOTE: This library should not be used in production settings, see Security for more details." please help the world to be a safer |
@yaronbenezra , did you even read my reply? |
Perhaps a stupid question: If it works with other backends, why not removing ecdsa backend? |
The package is not maintained, so no changes can be done to it. |
Anyone know how to replace jose's I documented other migration steps at jpadilla/pyjwt#942 |
Hello,
The
ecdsa
package is a requirement for this project. There is a vulnerability affecting the latest version (0.18.0
), but the maintainers don't plan to fix it.More information here: GHSA-wj6h-64fc-37mp
The text was updated successfully, but these errors were encountered: