https://github.com/ardevd/jlrpy/security/advisories/new #7305
Description
Package Information
- Ecosystem: pip
- Package name: jlrpy
- Repository: https://github.com/ardevd/jlrpy
- Affected versions: <= latest
- Patched versions: None
- Severity: High
- CWE: CWE-798, CWE-287
Summary
The jlrpy Python package (Jaguar Land Rover InControl API, 89 stars, ~4.2K downloads/90 days) contains hardcoded API secrets and uses the last 4 digits of the VIN as the authentication PIN for vehicle commands.
Finding 1: Hardcoded x-App-Secret (CWE-798, High)
jlrpy.py line 157:
"x-App-Secret": "7bf6f544-1926-4714-8066-ceceb40d538d"
Static UUID shared by all installations. JLR cannot distinguish legitimate from rogue API clients.
Finding 2: Hardcoded Basic Auth (CWE-798, High)
jlrpy.py line 163:
"Authorization": "Basic YXM6YXNwYXNz"
Base64 decoded: as:aspass. Static client credentials for JLR's OAuth token endpoint.
Finding 3: VIN Last-4 Used as PIN (CWE-287, High)
jlrpy.py line 672:
def _authenticate_vin_protected_service(self, service_name):
return self._authenticate_service(self.vin[-4:], service_name)
Vehicle commands (honk/blink, climate control, charge management) are "protected" by the last 4 characters of the VIN. VINs are publicly visible on windshields and in registration databases. This is effectively no authentication.
Finding 4: ROPC Password Grant (CWE-522, Medium)
jlrpy.py line 76: Plaintext password stored in self.oauth dict for the object lifetime and reused on every token refresh.
Fix PR
https://github.com/ardevd/jlrpy/pull/132
Affected code
x-App-Secret: https://github.com/ardevd/jlrpy/blob/master/jlrpy.py#L157
Basic Auth: https://github.com/ardevd/jlrpy/blob/master/jlrpy.py#L163
VIN PIN: https://github.com/ardevd/jlrpy/blob/master/jlrpy.py#L672
ROPC: https://github.com/ardevd/jlrpy/blob/master/jlrpy.py#L76