[CVE-2024-23342] python-jose include by default python-ecdsa

[fruch]

this package is using python-jose which in turns bring in python-ecdsa

which has high CVE-2024-23342
see:
GHSA-wj6h-64fc-37mp

see discussion on python-jose:
mpdavis/python-jose#341

[leonides-saguisag]

Can remediating this be prioritized? Our security tooling is flagging this vulnerability.

[amancioandre]

Upvoting my colleague request above. Security is flagging this as a high risk vulnerability.

[fruch]

If it was any other package that uses it, but the one gating the security for all of the organization services and tools, this is a little alarming.

Even though this package won't be used when cryptography is installed, it's not trivial for anyone to make sure it's not

[mdowling17]

@okta pyjwt is a good alternative to python-jose.

[mrdcbrush]

There is a workaround If you do not need the JWT and JSK methods of the SDK.

The following Okta SDK dependencies can be uninstalled.

python-jose
ecdsa
pyasn1
rsa
six

After uninstalling those libraries you can comment out lines 3 and 4 in:
./okta/jwt.py

3 # import jose.jwk as jwk
4 # import jose.jwt as jwt

[fruch]

There is a workaround If you do not need the JWT and JSK methods of the SDK.

The following Okta SDK dependencies can be uninstalled.

python-jose
ecdsa
pyasn1
rsa
six

After uninstalling those libraries you can comment out lines 3 and 4 in:
./okta/jwt.py

3 # import jose.jwk as jwk
4 # import jose.jwt as jwt

Thanks @mrdcbrush, it would make sure it doesn't use that library, yes.

But lots of the tooling which are just gonna read your requirements.txt or lock files, would still gonna warn about this.

I would expect OKTA to find a better solution, and not such that we need to have extra steps after installing and patching the code.

[bryanapellanes-okta]

This should be fixed by #403. Please submit new issue referencing this one if this is still a problem.