progval / Limnoria

A robust, full-featured, and user/programmer-friendly Python IRC bot, with many existing plugins.
https://docs.limnoria.net/
Other
621 stars 174 forks source link

Cryptographic API Misuse Vulnerability #1587

Closed lialon closed 3 months ago

lialon commented 3 months ago

Description:

In the "Limnoria/plugins/Fediverse/activitypub.py", I have identified a security vulnerability about insecure cryptographic algorithm. PKCS1v1.5 is vulnerable to the chosen-ciphertext attack.

Location:

https://github.com/progval/Limnoria/blob/master/plugins/Fediverse/activitypub.py#L251

signed_text.encode(), padding.PKCS1v15(), hashes.SHA256()

Reference

Recommendations:

Try using other padding(OAEP) instead of PKCS1v1.5.

progval commented 3 months ago

Tell that to the authors of https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures

And please don't spam dozens repositories with low-quality reports straight from a vulnerability scanner.