CVE-2016-6298
jwcrypto lacks the Random Filling protection mechanism
5.3
MEDIUM
CVSS 3.1
EPSS 0.36%
Description
The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).
How to fix CVE-2016-6298
To remediate CVE-2016-6298, upgrade the affected package to a fixed version below.
- —upgrade to 0.3.2-1 or later
- —upgrade to 0.3.2 or later
- —upgrade to eb5be5bd94c8cae1d7f3ba9801377084d8e5a7ba or later
Is CVE-2016-6298 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 0.3.2-1
- from 0, < 0.3.2
- from 0, < eb5be5bd94c8cae1d7f3ba9801377084d8e5a7ba | from 0, < 0.4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |