Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:Medium] pyjwt- Use of a Broken or Risky Cryptographic Algorithm (due by 07/24/2022) #5247

Closed
1 task
cnlucas opened this issue May 25, 2022 · 3 comments · Fixed by #5401
Closed
1 task

[Snyk:Medium] pyjwt- Use of a Broken or Risky Cryptographic Algorithm (due by 07/24/2022) #5247

cnlucas opened this issue May 25, 2022 · 3 comments · Fixed by #5401
Assignees
@cnlucas
Labels
Security: general General security concern or issue Security: moderate Remediate within 60 days
Milestone
Sprint 19.2

Comments

@cnlucas
Copy link
Member

cnlucas commented May 25, 2022
edited
Loading

Summary

Introduced through
cg-django-uaa@2.1.3
Fixed in
pyjwt@2.4.0

Detailed paths and remediation

Introduced through: project@0.0.0 › cg-django-uaa@2.1.3 › pyjwt@1.7.1
[Fix: Pin pyjwt to version 2.4.0]

Overview

PyJWT is a Python implementation of RFC 7519.

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via non-blacklisted public key formats leading to key confusion.

Completion criteria

  • Verify that this is indeed a vulnerability for us and either complete the remediation or document, close the ticket and snooze the Snyk alert.
@cnlucas cnlucas added this to the Sprint 18.5 milestone May 25, 2022
@cnlucas cnlucas added Security: moderate Remediate within 60 days Security: general General security concern or issue labels May 25, 2022
@cnlucas cnlucas mentioned this issue May 25, 2022
Closed
1 task
This was referenced Jun 1, 2022
Closed
Closed
@pkfec pkfec mentioned this issue Jun 15, 2022
Closed
@pkfec pkfec mentioned this issue Jun 22, 2022
Closed
1 task
@cnlucas cnlucas self-assigned this Jun 28, 2022
@cnlucas cnlucas mentioned this issue Jun 29, 2022
Closed
@cnlucas cnlucas mentioned this issue Jul 6, 2022
Closed
1 task
@cnlucas
Copy link
Member Author

cnlucas commented Jul 7, 2022
edited
Loading

cloud-gov/django-uaa#65
PR put in for their review, they need to remove cap on pyJWT

@cnlucas cnlucas modified the milestones: Sprint 18.5, Sprint 18.6 Jul 8, 2022
This was referenced Jul 13, 2022
Closed
Closed
@cnlucas cnlucas modified the milestones: Sprint 18.6, PI 18 innovation Jul 26, 2022
@cnlucas cnlucas mentioned this issue Jul 27, 2022
Closed
This was referenced Aug 10, 2022
Closed
Closed
@rfultz rfultz mentioned this issue Aug 17, 2022
Closed
@JonellaCulmer
Copy link
Contributor

@cnlucas @rfultz Can this be closed?

@cnlucas cnlucas modified the milestones: PI 18 innovation, Sprint 19.2 Aug 25, 2022
@patphongs patphongs mentioned this issue Aug 25, 2022
Closed
1 task
@cnlucas
Copy link
Member Author

cnlucas commented Aug 29, 2022

@JonellaCulmer They just released the new version of cg-django-uaa, but there's still been an issue with our builds. Moving forward

This was referenced Aug 31, 2022
Merged
Closed
Closed
@cnlucas cnlucas mentioned this issue Sep 7, 2022
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnlucas cnlucas

Labels
Security: general General security concern or issue Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 19.2
Development

Successfully merging a pull request may close this issue.

5247-Upgrade python and cg-django-uaa fecgov/fec-cms
2 participants
@JonellaCulmer @cnlucas