CVE-2024-33663 - Vulnerability Details

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Python-jose Project	Python-jose
Redhat	Ansible Automation Platform

Configuration 1 [-]

cpe:2.3:a:python-jose_project:python-jose:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Ansible Automation Platform 2.4 for RHEL 8
automation-controller-0:4.5.10-1.el8ap	cpe:/a:redhat:ansible_automation_platform:2.4::el8	RHSA-2024:6428	2024-09-05T00:00:00Z
Red Hat Ansible Automation Platform 2.4 for RHEL 9
automation-controller-0:4.5.10-1.el9ap	cpe:/a:redhat:ansible_automation_platform:2.4::el9	RHSA-2024:6428	2024-09-05T00:00:00Z

References

Link	Providers
https://github.com/mpdavis/python-jose/issues/346
https://nvd.nist.gov/vuln/detail/CVE-2024-33663
https://www.cve.org/CVERecord?id=CVE-2024-33663
https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663

History

Tue, 02 Sep 2025 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python-jose Project Python-jose Project python-jose
CPEs		cpe:2.3:a:python-jose_project:python-jose::::::::
Vendors & Products		Python-jose Project Python-jose Project python-jose

Sun, 08 Sep 2024 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat ansible Automation Platform
CPEs		cpe:/a:redhat:ansible_automation_platform:2.4::el8 cpe:/a:redhat:ansible_automation_platform:2.4::el9
Vendors & Products		Redhat Redhat ansible Automation Platform

Mon, 19 Aug 2024 08:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:python-jose_project:python-jose::::::::
Vendors & Products	Python-jose Project Python-jose Project python-jose
References		https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-python-jose-cve-2024-33663
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-04-25T00:00:00

Updated: 2024-09-03T19:34:19.749577

Reserved: 2024-04-25T00:00:00

Link: CVE-2024-33663

Vulnrichment

Updated: 2024-08-19T07:38:26.262Z

NVD

Status : Analyzed

Published: 2024-04-26T00:15:09.010

Modified: 2025-09-02T18:37:53.477

Link: CVE-2024-33663

Redhat

Severity : Moderate

Publid Date: 2024-04-26T00:00:00Z

Links: CVE-2024-33663 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object