CVE-2016-6298 — Sensitive Information Exposure in Jwcrypto

CWE-200 — Sensitive Information Exposure8 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.4%

top 41.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Latchset Jwcrypto

Timeline

PublishedSep 1

Latest updateMay 17

Description

The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

▶NVDlatchset/jwcrypto< 0.3.2

▶PyPIlatchset/jwcrypto< 0.3.2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

jwcrypto lacks the Random Filling protection mechanism↗2022-05-17

▶

OSV

jwcrypto lacks the Random Filling protection mechanism↗2022-05-17

▶

OSV

CVE-2016-6298: The _Rsa15 class in the RSA 1↗2016-09-01

▶

CVEList

CVE-2016-6298: The _Rsa15 class in the RSA 1↗2016-09-01

▶

📋Vendor Advisories

Debian

CVE-2016-6298: python-jwcrypto - The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto b...↗2016

▶

💬Community

Bugzilla

CVE-2016-6298 jwcrypto: million messages attack vulnerability↗2016-08-31

▶

Bugzilla

CVE-2016-6298 python-jwcrypto: jwcrypto: million messages attack vulnerability [fedora-all]↗2016-08-31

▶