CVE-2016-1494 — Improper Input Validation in RSA

CWE-20 — Improper Input Validation CWE-347 — Improper Verification of Cryptographic Signature9 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

5.1%

top 10.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python-rsa Project Python-rsa Python RSA Rustcrypto RSA +5 more

Timeline

PublishedJan 13

Latest updateMay 14

Description

The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages7 packages

▶NVDpython/rsa< 3.3

▶debiandebian/python-rsa< python-rsa 3.2.3-1.1 (bookworm)

▶Debianpython-rsa_project/python-rsa< 3.2.3-1.1+3

▶PyPIrustcrypto/rsa< 3.3

▶NVDopensuse/leap42.1

Also affects: Fedora 22, 23

Patches

Patch: bitbucket.org ↗Patch: bitbucket.org ↗

🔴Vulnerability Details

GHSA

Python RSA allows attackers to spoof signatures↗2022-05-14

▶

OSV

Python RSA allows attackers to spoof signatures↗2022-05-14

▶

OSV

CVE-2016-1494: The verify function in the RSA package for Python (Python-RSA) before 3↗2016-01-13

▶

📋Vendor Advisories

Microsoft

The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.↗2016-01-12

▶

Debian

CVE-2016-1494: python-rsa - The verify function in the RSA package for Python (Python-RSA) before 3.3 allows...↗2016

▶

💬Community

Bugzilla

CVE-2016-1494 python-rsa: Signature forgery using Bleichenbacher'06 attack↗2016-01-05

▶

Bugzilla

CVE-2016-1494 python-rsa: Signature forgery using Bleichenbacher'06 attack [epel-all]↗2016-01-05

▶

Bugzilla

CVE-2016-1494 python-rsa: Signature forgery using Bleichenbacher'06 attack [fedora-all]↗2016-01-05

▶