[SECURITY] Version 1.2.4 is effected by CVE-2024-23342 in edcsa #44

kartikye · 2024-02-13T22:51:22Z

robert-mings · 2024-02-16T04:10:53Z

Hey @kartikye, we're on it and are exploring a different cryptographic backend or a new package altogether.

Keep an eye out for updates.

r-thomson · 2024-02-20T19:23:29Z

edcsa is being brought in by python-jose, which has not had a release since 2021. Most of the Python ecosystem seems to have moved to pyjwt.

geekkun · 2024-03-01T12:53:05Z

1.2.5 is also affected :(

3point14guy · 2024-04-26T20:18:46Z

Natim · 2024-05-28T12:36:22Z

We now have two alternates #48 and #49

yahel2410 · 2024-07-14T14:26:45Z

Any update on this matter? this CVE affects a lot of our services' score.

robert-mings · 2024-08-01T00:25:53Z

Hi @kartikye, @r-thomson, @geekkun, @3point14guy, @Natim @yahel2410 - v1.2.6 solves this by moving to pyjwt and is now available. Please update as soon as possible. Thanks!

robert-mings closed this as completed Aug 1, 2024

yahel2410 mentioned this issue Aug 7, 2024

Update intuit-oauth to v1.2.6 ej2/python-quickbooks#362

Closed

Provide feedback