Ubuntu.comUB:CVE-2016-9122CVE-2016-9122
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
48.7%
go-jose before 1.0.4 suffers from multiple signatures exploitation. The
go-jose library supports messages with multiple signatures. However, when
validating a signed message the API did not indicate which signature was
valid, which could potentially lead to confusion. For example, users of the
library might mistakenly read protected header values from an attached
signature that was different from the one originally validated.
References
www.openwall.com/lists/oss-security/2016/11/03/1
github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
hackerone.com/reports/169629
launchpad.net/bugs/cve/CVE-2016-9122
nvd.nist.gov/vuln/detail/CVE-2016-9122
security-tracker.debian.org/tracker/CVE-2016-9122
www.cve.org/CVERecord?id=CVE-2016-9122
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
48.7%