CVE-2016-6298 – jwcrypto

Package

Manager: pip
Name: jwcrypto
Vulnerable Version: >=0 <0.3.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00446 pctl0.62581

Details

jwcrypto lacks the Random Filling protection mechanism The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).

Metadata

Created: 2022-05-17T03:39:31Z
Modified: 2024-11-19T19:24:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wg33-x934-3ghh/GHSA-wg33-x934-3ghh.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-wg33-x934-3ghh
Finding: F017
Auto approve: 1