jwk.py

[mr-n30]

Hello world,

The function construct in

python-jose/jose/jwk.py

Line 63 in 4b0701b

def construct(key_data, algorithm=None):

contains an Generation of Error Message Containing Sensitive Information vulnerability that allows an attacker to view the victims Secret Key that is used to sign tokens. With the secret key an attacker would be able to create and sign valid tokens on the victims site and bypass authentication if JWT's are used for authorizing a user via the HTTP Authorization header for example. I've submitted a fix and PR:

#328

Best regards,
mr-n30