CVE-2016-7036

python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
VendorProductVersion
python-jose_projectpython-jose
𝑥
≤ 1.3.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-jose
bookworm
3.3.0+dfsg-4
fixed
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/95845
https://github.com/mpdavis/python-jose/pull/35/commits/89b46353b9f611e9da38de3d2fedf52331167b93
https://github.com/mpdavis/python-jose/releases/tag/1.3.2
http://www.securityfocus.com/bid/95845
https://github.com/mpdavis/python-jose/pull/35/commits/89b46353b9f611e9da38de3d2fedf52331167b93
https://github.com/mpdavis/python-jose/releases/tag/1.3.2