Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13ZzMzLXg5MzQtM2doaM4AAc86
jwcrypto lacks the Random Filling protection mechanism
The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).
Permalink: https://github.com/advisories/GHSA-wg33-x934-3ghhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ZzMzLXg5MzQtM2doaM4AAc86
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 19 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-wg33-x934-3ghh, CVE-2016-6298
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-6298
- https://github.com/latchset/jwcrypto/issues/65
- https://github.com/latchset/jwcrypto/pull/66
- https://github.com/latchset/jwcrypto/commit/eb5be5bd94c8cae1d7f3ba9801377084d8e5a7ba
- https://github.com/latchset/jwcrypto/releases/tag/v0.3.2
- https://web.archive.org/web/20200227230613/http://www.securityfocus.com/bid/92729
- https://github.com/advisories/GHSA-wg33-x934-3ghh
Blast Radius: 17.5
Affected Packages
pypi:jwcrypto
Dependent packages: 86Dependent repositories: 1,962
Downloads: 1,962,515 last month
Affected Version Ranges: < 0.3.2
Fixed in: 0.3.2
All affected versions: 0.2.0, 0.2.1, 0.3.0, 0.3.1
All unaffected versions: 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.6.0, 0.9.1, 1.3.1, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6