CVE-2016-1494: Python RSA allows attackers to spoof signatures
(updated )
The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.
References
- bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff
- blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa
- github.com/advisories/GHSA-8rjr-6qq5-pj9p
- github.com/pypa/advisory-database/tree/main/vulns/rsa/PYSEC-2016-10.yaml
- github.com/sybrenstuvel/python-rsa
- github.com/sybrenstuvel/python-rsa/commit/ab5d21c3b554f926d51ff3ad9c794bcf32e95b3c
- nvd.nist.gov/vuln/detail/CVE-2016-1494
- web.archive.org/web/20210123020914/http://www.securityfocus.com/bid/79829
Detect and mitigate CVE-2016-1494 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →