GHSA-8rjr-6qq5-pj9p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8rjr-6qq5-pj9p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8rjr-6qq5-pj9p/GHSA-8rjr-6qq5-pj9p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8rjr-6qq5-pj9p
- Aliases
- Published
- 2022-05-14T00:59:49Z
- Modified
- 2024-10-21T22:10:52.441583Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Python RSA allows attackers to spoof signatures
- Details
-
The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.
- Database specific
{ "nvd_published_at": "2016-01-13T15:59:00Z", "cwe_ids": [ "CWE-20", "CWE-347" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-07-28T20:46:52Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2016-1494
- https://github.com/sybrenstuvel/python-rsa/commit/ab5d21c3b554f926d51ff3ad9c794bcf32e95b3c
- https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff
- https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa
- https://github.com/pypa/advisory-database/tree/main/vulns/rsa/PYSEC-2016-10.yaml
- https://github.com/sybrenstuvel/python-rsa
- https://web.archive.org/web/20210123020914/http://www.securityfocus.com/bid/79829
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175897.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175942.html
- http://lists.opensuse.org/opensuse-updates/2016-01/msg00032.html
- http://www.openwall.com/lists/oss-security/2016/01/05/1
- http://www.openwall.com/lists/oss-security/2016/01/05/3
Affected packages
PyPI / rsa
Package
- Name
- rsa
- View open source insights on deps.dev
- Purl
- pkg:pypi/rsa