Cryptographic API Misuse Vulnerability

progval / Limnoria

A robust, full-featured, and user/programmer-friendly Python IRC bot, with many existing plugins.

https://docs.limnoria.net/

Other

622 stars 173 forks source link

Cryptographic API Misuse Vulnerability #1587

Closed lialon closed 2 months ago

lialon commented 2 months ago

Description:

In the "Limnoria/plugins/Fediverse/activitypub.py", I have identified a security vulnerability about insecure cryptographic algorithm. PKCS1v1.5 is vulnerable to the chosen-ciphertext attack.

Location:

https://github.com/progval/Limnoria/blob/master/plugins/Fediverse/activitypub.py#L251

signed_text.encode(), padding.PKCS1v15(), hashes.SHA256()

Reference

CWE-780: Use of RSA Algorithm without OAEP

Recommendations:

Try using other padding(OAEP) instead of PKCS1v1.5.

progval commented 2 months ago

Tell that to the authors of https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures

And please don't spam dozens repositories with low-quality reports straight from a vulnerability scanner.