Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04cmpyLTZxcTUtcGo5cM4AATZV
Python RSA allows attackers to spoof signatures
The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.
Permalink: https://github.com/advisories/GHSA-8rjr-6qq5-pj9pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cmpyLTZxcTUtcGo5cM4AATZV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 2 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-8rjr-6qq5-pj9p, CVE-2016-1494
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-1494
- https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175897.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175942.html
- http://lists.opensuse.org/opensuse-updates/2016-01/msg00032.html
- http://www.openwall.com/lists/oss-security/2016/01/05/1
- http://www.openwall.com/lists/oss-security/2016/01/05/3
- https://github.com/sybrenstuvel/python-rsa/commit/ab5d21c3b554f926d51ff3ad9c794bcf32e95b3c
- https://web.archive.org/web/20210123020914/http://www.securityfocus.com/bid/79829
- https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa
- https://github.com/advisories/GHSA-8rjr-6qq5-pj9p
Blast Radius: 25.7
Affected Packages
pypi:rsa
Dependent packages: 368Dependent repositories: 69,170
Downloads: 188,146,702 last month
Affected Version Ranges: < 3.3
Fixed in: 3.3
All affected versions: 1.3.1, 1.3.2, 1.3.3, 3.0.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.1, 3.2.2, 3.2.3
All unaffected versions: 3.4.1, 3.4.2, 4.1.1, 4.4.1, 4.7.1, 4.7.2