Vulnerability Details : CVE-2016-1494
The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.
Vulnerability category: Input validation
Products affected by CVE-2016-1494
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:rsa:*:*:*:*:*:python:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-1494
0.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-1494
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2016-1494
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-1494
-
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175897.html
[SECURITY] Fedora 23 Update: python-rsa-3.3-2.fc23Third Party Advisory
-
http://www.securityfocus.com/bid/79829
Python-RSA CVE-2016-1494 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-updates/2016-01/msg00032.html
openSUSE-SU-2016:0108-1: moderate: Security update for python-rsaMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2016/01/05/1
oss-security - CVE Request: python-rsa signature forgeryMailing List;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175942.html
[SECURITY] Fedora 22 Update: python-rsa-3.3-2.fc22Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2016/01/05/3
oss-security - Re: CVE Request: python-rsa signature forgeryMailing List;Third Party Advisory
-
https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/
Bleichenbacher'06 signature forgery in python-rsaExploit;Third Party Advisory
-
https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff
sybren / python-rsa / Pull request #14: [security] Fix BB'06 attack in verify() by switching from parsing to comparison — BitbucketPatch;Third Party Advisory
Jump to