CVE-2016-6298 Information

Feb 14, 2021 cve

Description

The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

http://www.securityfocus.com/bid/92729 https://github.com/latchset/jwcrypto/commit/eb5be5bd94c8cae1d7f3ba9801377084d8e5a7ba https://github.com/latchset/jwcrypto/issues/65 https://github.com/latchset/jwcrypto/pull/66 https://github.com/latchset/jwcrypto/releases/tag/v0.3.2

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3

Share on: