PT-2016-4840 · Python+1 · Python-Rsa+1

Filippo Valsorda

Published

2016-01-12

Updated

2022-05-14

CVE-2016-1494

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Python-RSA versions prior to 3.3

Description The issue allows attackers to spoof signatures with a small public exponent via crafted signature padding, also known as a BERserk attack. This affects the verify function in the RSA package for Python.

Recommendations For versions prior to 3.3, update to version 3.3 or later to resolve the issue. As a temporary workaround, consider implementing additional signature verification checks to minimize the risk of exploitation.

Exploit

Fix

RCE

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-347

Related Identifiers

CVE-2016-1494

GHSA-8RJR-6QQ5-PJ9P

MGASA-2016-0011

PYSEC-2016-10

SUSE-SU-2016:0107-1

SUSE-SU-2016_0107-1

Affected Products

Python-Rsa

Suse

PT-2016-4840 · Python+1 · Python-Rsa+1

CVE-2016-1494

Weakness Enumeration

Related Identifiers

Affected Products

References · 28