CVSS: 2.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53861 – Issuer field partial matches allowed in pyjwt
https://notcve.org/view.php?id=CVE-2024-53861
pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" ! • https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366 https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1 https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm • CWE-697: Incorrect Comparison •