CVE-2016-7036 - python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a

CVE-2016-7036

Summary

python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.

References

Vulnerable Configurations

cpe:2.3:a:python-jose_project:python-jose:0.1.5:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.1.5:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.2.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.1:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.1:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.2:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.2:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.3:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.3:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.4:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.4:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.5:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.5:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.6:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.5.6:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:python-jose_project:python-jose:1.3.1:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 01-02-2017 - 02:59)
Impact:
Exploitability:

CWE

CWE-361

CAPEC

Session Fixation
The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bid	95845
confirm	https://github.com/mpdavis/python-jose/pull/35/commits/89b46353b9f611e9da38de3d2fedf52331167b93 https://github.com/mpdavis/python-jose/releases/tag/1.3.2

Last major update

01-02-2017 - 02:59

Published

23-01-2017 - 21:59

Last modified

01-02-2017 - 02:59