{"id":"GHSA-w799-prg3-cx77","summary":"python-jose failure to use a constant time comparison for HMAC keys","details":"python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.","aliases":["CVE-2016-7036","PYSEC-2017-28"],"modified":"2024-10-16T21:16:18.602227Z","published":"2022-05-17T03:02:29Z","database_specific":{"nvd_published_at":"2017-01-23T21:59:00Z","severity":"CRITICAL","cwe_ids":["CWE-208"],"github_reviewed":true,"github_reviewed_at":"2023-07-31T21:03:29Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-7036"},{"type":"WEB","url":"https://github.com/mpdavis/python-jose/pull/35/commits/89b46353b9f611e9da38de3d2fedf52331167b93"},{"type":"WEB","url":"https://github.com/mpdavis/python-jose/commit/73007d6887a7517ac07c6e755e494baee49ef513"},{"type":"PACKAGE","url":"https://github.com/mpdavis/python-jose"},{"type":"WEB","url":"https://github.com/mpdavis/python-jose/releases/tag/1.3.2"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2017-28.yaml"},{"type":"WEB","url":"https://web.archive.org/web/20210123221523/http://www.securityfocus.com/bid/95845"}],"affected":[{"package":{"name":"python-jose","ecosystem":"PyPI","purl":"pkg:pypi/python-jose"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.2"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.2.0","0.3.0","0.4.0","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.6.1","0.6.2","0.7.0","1.0.0","1.1.0","1.2.0","1.3.0","1.3.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w799-prg3-cx77/GHSA-w799-prg3-cx77.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}