Vulnerability on dependency (ecdsa), not planned to be fixed

[Merinorus]

Hello,

The ecdsa package is a requirement for this project. There is a vulnerability affecting the latest version (0.18.0), but the maintainers don't plan to fix it.
More information here: GHSA-wj6h-64fc-37mp

[syntaxaire]

I was also brought here by security alerts this morning.

From the python-ecdsa security policy, which the maintainers cite in their reply:

This library was not designed with security in mind. If you are processing data that needs to be protected we suggest you use a quality wrapper around OpenSSL.

So I would ask, what is it being used for in this project?

Edit: It seems this repository is abandoned (#332). The solution is to get away from python-jose as a dependency. My team's requirements are met by PyJWT which is 4x more popular (by stars) but has 5x fewer open issues.

[JonasKs]

So I would ask, what is it being used for in this project?

This project allow you to use multiple backends, one of them is cryptography, as is the solution suggested solution.

It’s all there, in the README: https://github.com/mpdavis/python-jose?tab=readme-ov-file#cryptographic-backends

In other words, ensure you’re using the cryptography backend. You can also uninstall the ecdsa library, even though it’s unused when using the cryptography backend.

EDIT: As more CVEs are uncovered and this project is stale, I've migrated to PyJWT.

[lsmith77]

guess it makes more sense to just migrate to https://github.com/jpadilla/pyjwt

[yaronbenezra]

hello,

The dependence on this library on ecdsa exposes us to several attacks :

ecdsa Missing Encryption of Sensitive Data [CVSS 7.4]
and also ecdsa Timing Attack [CVE-2024-23342]

The ECDSA is not maintained and not built for production:
https://github.com/tlsfuzzer/python-ecdsa

Why you are still using it, can you please dispose of it?

I think if you continue to use them you also need to add the following note to your project:

" NOTE: This library should not be used in production settings, see Security for more details."

please help the world to be a safer

[JonasKs]

@yaronbenezra , did you even read my reply?

[mathieuruellanmyscript]

Perhaps a stupid question: If it works with other backends, why not removing ecdsa backend?

[lsmith77]

The package is not maintained, so no changes can be done to it.