okta-sdk-python icon indicating copy to clipboard operation
okta-sdk-python copied to clipboard
verified publisher icon okta

vulnerability in indirect import of ecdsa library

Open somurzakov-rbx opened this issue 1 year ago • 1 comments

https://security.snyk.io/vuln/SNYK-PYTHON-ECDSA-6184115 https://nvd.nist.gov/vuln/detail/CVE-2024-23342

okta is using python-jose library, which in turn is using ecdsa library. ecdsa package has CVE-2024-23342 and currently has no version that fixes this vuln.

is Okta planning to close this vuln, by removing ecdsa dependency for different library? thanks

somurzakov-rbx avatar Apr 03 '24 21:04 somurzakov-rbx

Related issue in python-jose: https://github.com/mpdavis/python-jose/issues/341

  • The suggestions are to use python-jose[cryptography] or not use python-jose at all.
  • Using python-jose[cryptography] will, however, still install ecdsa but will not use it.

nkatomeris-r7 avatar Apr 18 '24 14:04 nkatomeris-r7

This should be fixed by #403 . Please submit new issue referencing this one if this is still a problem.

bryanapellanes-okta avatar May 30 '24 19:05 bryanapellanes-okta