ByteOS Network

Vulnerability Details :

CVE-2024-33663

Assigner-mitre

Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca

Published At-25 Apr, 2024 | 00:00

Updated At-03 Sep, 2024 | 19:34

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:mitre

Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca

Published At:25 Apr, 2024 | 00:00

Updated At:03 Sep, 2024 | 19:34

▼CVE Numbering Authority (CNA)

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

Affected Products

Vendor

n/a

Product

n/a

Versions

Affected

Problem Types

Type	CWE ID	Description
text	N/A	n/a

Type: text

CWE ID: N/A

Description: n/a

References

Hyperlink	Resource
https://github.com/mpdavis/python-jose/issues/346	N/A
https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663	N/A

Hyperlink: https://github.com/mpdavis/python-jose/issues/346

Resource: N/A

Hyperlink: https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CISA ADP Vulnrichment

Affected Products

Vendor

python-jose_project

Product

python-jose

CPEs

cpe:2.3:a:python-jose_project:python-jose:*:*:*:*:*:*:*:*

Default Status

unknown

Versions

Affected

From 0 through 3.3.0 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-327	CWE-327 Use of a Broken or Risky Cryptographic Algorithm

Type: CWE

CWE ID: CWE-327

Description: CWE-327 Use of a Broken or Risky Cryptographic Algorithm

Metrics

Version	Base score	Base severity	Vector
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Metrics Other Info

2. CVE Program Container

References

Hyperlink	Resource
https://github.com/mpdavis/python-jose/issues/346	x_transferred
https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663	N/A

Hyperlink: https://github.com/mpdavis/python-jose/issues/346

Resource:

x_transferred

Hyperlink: https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663

Resource: N/A

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:cve@mitre.org

Published At:26 Apr, 2024 | 00:15

Updated At:03 Sep, 2024 | 20:15

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 6.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Weaknesses

CWE ID	Type	Source
CWE-327	Secondary	134c704f-9b21-4f2e-91b3-4a467353bcc0

CWE ID: CWE-327

Type: Secondary

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

References

Hyperlink	Source	Resource
https://github.com/mpdavis/python-jose/issues/346	cve@mitre.org	N/A
https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663	cve@mitre.org	N/A

Hyperlink: https://github.com/mpdavis/python-jose/issues/346

Source: cve@mitre.org

Resource: N/A

Hyperlink: https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663

Source: cve@mitre.org

Resource: N/A

Similar CVEs

4Records found

CVE-2021-3979

Matching Score-4

Assigner-Red Hat, Inc.

View Details

Matching Score-4

Assigner-Red Hat, Inc.

CVSS Score-6.5||MEDIUM

EPSS-0.24% / 47.30%

7 Day CHG-0.01%

Published-25 Aug, 2022 | 00:00

Updated-13 Feb, 2025 | 16:28

A key length flaw was found in Red Hat Ceph Storage. An attacker can exploit the fact that the key length is incorrectly passed in an encryption algorithm to create a non random key, which is weaker and can be exploited for loss of confidentiality and integrity on encrypted disks.

Vendor-n/a Red Hat, Inc.Fedora Project

Product-ceph_storage ceph_storage_for_ibm_z_systems openshift_data_foundation enterprise_linux fedora ceph_storage_for_power openshift_container_storage openstack_platform ceph

CWE ID-CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CWE ID-CWE-287

Improper Authentication

CVE-2024-28980

Matching Score-4

Assigner-Dell

View Details

Matching Score-4

Assigner-Dell

CVSS Score-6.5||MEDIUM

EPSS-0.10% / 27.45%

7 Day CHG~0.00%

Published-13 Dec, 2024 | 14:20

Updated-04 Feb, 2025 | 15:55

Dell RecoverPoint for VMs, version(s) 6.0.x contain(s) a Use of a Broken or Risky Cryptographic Algorithm vulnerability in the SSH. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Remote execution.

Vendor-Dell Inc.

Product-recoverpoint_for_virtual_machines RecoverPoint for Virtual Machines

CWE ID-CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CVE-2021-31562

Matching Score-4

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

View Details

Matching Score-4

Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)

CVSS Score-6.5||MEDIUM

EPSS-0.09% / 26.15%

7 Day CHG~0.00%

Published-21 Jan, 2022 | 18:17

Updated-16 Apr, 2025 | 16:47

Fresenius Kabi Agilia Connect Infusion System use of a broken or risky cryptographic algorithm

The SSL/TLS configuration of Fresenius Kabi Agilia Link + version 3.0 has serious deficiencies that may allow an attacker to compromise SSL/TLS sessions in different ways. An attacker may be able to eavesdrop on transferred data, manipulate data allegedly secured by SSL/TLS, and impersonate an entity to gain access to sensitive information.

Vendor-fresenius-kabi Fresenius Kabi

Product-agilia_link\+_firmware agilia_connect_firmware vigilant_insight agilia_connect vigilant_mastermed vigilant_centerium agilia_link\+agilia_partner_maintenance_software Agilia Link+

CWE ID-CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CVE-2021-32593

Matching Score-4

Assigner-Fortinet, Inc.

View Details

Matching Score-4

Assigner-Fortinet, Inc.

CVSS Score-6.5||MEDIUM

EPSS-0.17% / 38.09%

7 Day CHG~0.00%

Published-06 Apr, 2022 | 09:15

Updated-25 Oct, 2024 | 13:33

A use of a broken or risky cryptographic algorithm vulnerability [CWE-327] in the Dynamic Tunnel Protocol of FortiWAN before 4.5.9 may allow an unauthenticated remote attacker to decrypt and forge protocol communication messages.

Vendor-Fortinet, Inc.

Product-fortiwan Fortinet FortiWAN

CWE ID-CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CVE-2024-33663

Credits

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs