CVE-2020-26244 – Cryptographic issues in Python oic

https://notcve.org/view.php?id=CVE-2020-26244

02 Dec 2020 — Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. 2) JWA `none` algorithm was allowed in all flows. 3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of... • https://github.com/OpenIDC/pyoidc/commit/62f8d753fa17c8b1f29f8be639cf0b33afb02498 • CWE-325: Missing Cryptographic Step CWE-347: Improper Verification of Cryptographic Signature •