Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow crytography >= 42 to resolve high-severity security vulnerability. #600

Closed
5 tasks done
phillipuniverse opened this issue Feb 18, 2024 · 3 comments · Fixed by #605
Closed
5 tasks done

Allow crytography >= 42 to resolve high-severity security vulnerability. #600

phillipuniverse opened this issue Feb 18, 2024 · 3 comments · Fixed by #605
Labels
feature request A feature has been asked for or suggested by the community

Comments

@phillipuniverse
Copy link

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

There is a high-severity vulnerability in Cryptography < 42, see GHSA-3ww4-gg4f-jr7f

Since this library forces Crytpography < 42, I cannot upgrade to a non-vulnerable version.

Describe the ideal solution

The dependency version for Cryptography is relaxed at

auth0-python/pyproject.toml

Line 31 in a31c62b

cryptography = "^41.0.5" # pyjwt has a weak dependency on cryptography
to allow cryptography >= 42.

Alternatives and current workarounds

No workaround is available for Poetry since this is a hard requirement from the auth0-python library.

Additional context

No response
@phillipuniverse phillipuniverse added the feature request A feature has been asked for or suggested by the community label Feb 18, 2024
@phillipuniverse phillipuniverse changed the title Allow crytography > 42 Allow crytography >= 42 to resolve high-severity security vulnerability. Feb 18, 2024
@AVerrico-Eyeonic
Copy link

Would really appreciate this being addressed.

@wmyre
Copy link

wmyre commented Feb 22, 2024

please address. this is a high vulnerability being detected as it is now on https://nvd.nist.gov/vuln/detail/CVE-2024-26130

@wmyre
Copy link

wmyre commented Feb 22, 2024

#597 a pr is already out there ready for approval.

@adamjmcgrath adamjmcgrath mentioned this issue Feb 26, 2024
Merged
adamjmcgrath added a commit that referenced this issue Feb 26, 2024
@adamjmcgrath
Update cryptography dependency (#605)
d0bcc22 
fixes #600
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request A feature has been asked for or suggested by the community
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update cryptography dependency auth0/auth0-python
3 participants
@phillipuniverse @wmyre @AVerrico-Eyeonic