CVE-2016-6298: Infoleak
First published: Thu Sep 01 2016(Updated: )
The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jwcrypto Project Jwcrypto | <=0.3.1 | |
| pip/jwcrypto | <0.3.2 | 0.3.2 |
| Latchset Jwcrypto | <0.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/92729
- https://github.com/latchset/jwcrypto/commit/eb5be5bd94c8cae1d7f3ba9801377084d8e5a7ba
- https://github.com/latchset/jwcrypto/issues/65
- https://github.com/latchset/jwcrypto/pull/66
- https://github.com/latchset/jwcrypto/releases/tag/v0.3.2
- https://nvd.nist.gov/vuln/detail/CVE-2016-6298
- https://web.archive.org/web/20200227230613/http://www.securityfocus.com/bid/92729
- https://github.com/advisories/GHSA-wg33-x934-3ghh (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/jwcrypto/PYSEC-2016-4.yaml
- collector/nvd-index
- agent/type
- agent/remedy
- agent/weakness
- agent/description
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-wg33-x934-3ghh
- alias/CVE-2016-6298
- agent/references
- collector/github-advisory
- collector/nvd-api
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/trending
- vendor/jwcrypto project
- canonical/jwcrypto project jwcrypto
- version/jwcrypto project jwcrypto/0.3.1
- package-manager/pip
- vendor/latchset
- canonical/latchset jwcrypto