MidnightBSD

Advisories for latchset

CVE-2016-6298 MEDIUM

The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
latchset jwcrypto *
CVE-2023-50967

latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

Products Affected

Vendor Product Version
fedoraproject fedora 38
fedoraproject fedora 39
fedoraproject fedora 40
latchset jose *
CVE-2023-6258

A security vulnerability has been identified in the pkcs11-provider, which is associated with Public-Key Cryptography Standards (PKCS#11). If exploited successfully, this vulnerability could result in a Bleichenbacher-like security flaw, potentially enabling a side-channel attack on PKCS#1 1.5 decryption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
latchset pkcs11-provider 0.1
CVE-2023-6681

A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
fedoraproject fedora 38
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_arm_64 8.0
fedoraproject fedora 39
latchset jwcrypto *
CVE-2024-28102

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H 2.3 4.0

Products Affected

Vendor Product Version
latchset jwcrypto *
debian debian_linux 11.0