CVE-2022-3102
Public on 2024-04-30
Modified on 2024-08-02
Description
The JWT code can auto-detect the type of token being provided, and this can lead the application to incorrect conclusions about the trustworthiness of the token.
CVE-2022-3102 is specific to cases where jwcrypto's tokens are used for authentication or authorization. It requires an unlikely configuration where the application verifying tokens has access to the private key that was used to sign them. Given that python-jwcrypto is not used in AL2 for authentication or authorization and the special conditions required to exploit CVE-2022-3102, a fix will not be provided at this time for Amazon Linux 2.
CVE-2022-3102 is specific to cases where jwcrypto's tokens are used for authentication or authorization. It requires an unlikely configuration where the application verifying tokens has access to the private key that was used to sign them. Given that python-jwcrypto is not used in AL2 for authentication or authorization and the special conditions required to exploit CVE-2022-3102, a fix will not be provided at this time for Amazon Linux 2.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | python-jwcrypto | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.0 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |