Closed lialon closed 3 months ago
In the "Limnoria/plugins/Fediverse/activitypub.py", I have identified a security vulnerability about insecure cryptographic algorithm. PKCS1v1.5 is vulnerable to the chosen-ciphertext attack.
https://github.com/progval/Limnoria/blob/master/plugins/Fediverse/activitypub.py#L251
signed_text.encode(), padding.PKCS1v15(), hashes.SHA256()
Try using other padding(OAEP) instead of PKCS1v1.5.
Tell that to the authors of https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures
And please don't spam dozens repositories with low-quality reports straight from a vulnerability scanner.
Description:
In the "Limnoria/plugins/Fediverse/activitypub.py", I have identified a security vulnerability about insecure cryptographic algorithm. PKCS1v1.5 is vulnerable to the chosen-ciphertext attack.
Location:
https://github.com/progval/Limnoria/blob/master/plugins/Fediverse/activitypub.py#L251
Reference
Recommendations:
Try using other padding(OAEP) instead of PKCS1v1.5.