CVE-2024-23342, High level vulnerability

[navya-sriv]

Hey guys,
python-jose is affected by CVE-2024-23342 through its ecdsa dependency. The vulnerability stems from insufficient validation in ECDSA key handling, which could potentially allow signature forgery. Could you please take a look and see if there’s a way to address this?

[SerbanTudor04]

Is there anything regarding this issue?

[andycui66]

ecdsa miantainer mentioned they will not fix it and suggest to use pyca/cryptography. Can python-jose migrate away from ecdsa?

[dargmuesli]

I guess if you go with an installation of python-jose[cryptography], as the README states, pyca/cryptography is used as cryptographic backend instead of ecdsa and you should be fine, no?

[andycui66]

Even though ecdsa is not used, it is still installed as a dependency.