Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/rfc3161-client@1.0.3
Typepypi
Namespace
Namerfc3161-client
Version1.0.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.0.6
Latest_non_vulnerable_version1.0.6
Affected_by_vulnerabilities
0
url VCID-czqz-wqkd-23bs
vulnerability_id VCID-czqz-wqkd-23bs
summary rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulnerability in rfc3161-client's signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flaw in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates, an attacker can append a spoofed certificate matching the target common_name and Extended Key Usage (EKU) requirements. This tricks the library into verifying these authorization rules against the forged certificate while validating the cryptographic signature against an actual trusted TSA (such as FreeTSA), thereby bypassing the intended TSA authorization pinning entirely. This vulnerability is fixed in 1.0.6.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33753.json
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33753.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33753
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01304
published_at 2026-06-14T12:55:00Z
1
value 0.0001
scoring_system epss
scoring_elements 0.01296
published_at 2026-06-11T12:55:00Z
2
value 0.0001
scoring_system epss
scoring_elements 0.013
published_at 2026-06-13T12:55:00Z
3
value 0.0001
scoring_system epss
scoring_elements 0.01291
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33753
2
reference_url https://github.com/trailofbits/rfc3161-client
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/trailofbits/rfc3161-client
3
reference_url https://github.com/trailofbits/rfc3161-client/commit/4f7d372297b4fba7b0119e9f954e4495ec0592c0
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/trailofbits/rfc3161-client/commit/4f7d372297b4fba7b0119e9f954e4495ec0592c0
4
reference_url https://github.com/trailofbits/rfc3161-client/releases/tag/v1.0.6
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/trailofbits/rfc3161-client/releases/tag/v1.0.6
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33753
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33753
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2456545
reference_id 2456545
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2456545
7
reference_url https://github.com/advisories/GHSA-3xxc-pwj6-jgrj
reference_id GHSA-3xxc-pwj6-jgrj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3xxc-pwj6-jgrj
8
reference_url https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-3xxc-pwj6-jgrj
reference_id GHSA-3xxc-pwj6-jgrj
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T16:08:28Z/
url https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-3xxc-pwj6-jgrj
fixed_packages
0
url pkg:pypi/rfc3161-client@1.0.6
purl pkg:pypi/rfc3161-client@1.0.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/rfc3161-client@1.0.6
aliases CVE-2026-33753, GHSA-3xxc-pwj6-jgrj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-czqz-wqkd-23bs
Fixing_vulnerabilities
0
url VCID-7dpv-nbje-yygz
vulnerability_id VCID-7dpv-nbje-yygz
summary rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to version 1.0.3, there is a flaw in the timestamp response signature verification logic. In particular, chain verification is performed against the TSR's embedded certificates up to the trusted root(s), but fails to verify the TSR's own signature against the timestamping leaf certificates. Consequently, vulnerable versions perform insufficient signature validation to properly consider a TSR verified, as the attacker can introduce any TSR signature so long as the embedded leaf chains up to some root TSA. This issue has been patched in version 1.0.3. There is no workaround for this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-52556
reference_id
reference_type
scores
0
value 0.00176
scoring_system epss
scoring_elements 0.39137
published_at 2026-06-13T12:55:00Z
1
value 0.00176
scoring_system epss
scoring_elements 0.39129
published_at 2026-06-14T12:55:00Z
2
value 0.00176
scoring_system epss
scoring_elements 0.39114
published_at 2026-06-12T12:55:00Z
3
value 0.00176
scoring_system epss
scoring_elements 0.38942
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-52556
1
reference_url https://github.com/trailofbits/rfc3161-client
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/trailofbits/rfc3161-client
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-52556
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-52556
3
reference_url https://github.com/trailofbits/rfc3161-client/commit/724a184f953e3f171f85cb223871172b41b0d0dc
reference_id 724a184f953e3f171f85cb223871172b41b0d0dc
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-23T15:13:25Z/
url https://github.com/trailofbits/rfc3161-client/commit/724a184f953e3f171f85cb223871172b41b0d0dc
4
reference_url https://github.com/advisories/GHSA-6qhv-4h7r-2g9m
reference_id GHSA-6qhv-4h7r-2g9m
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6qhv-4h7r-2g9m
5
reference_url https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-6qhv-4h7r-2g9m
reference_id GHSA-6qhv-4h7r-2g9m
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-23T15:13:25Z/
url https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-6qhv-4h7r-2g9m
fixed_packages
0
url pkg:pypi/rfc3161-client@1.0.3
purl pkg:pypi/rfc3161-client@1.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-czqz-wqkd-23bs
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/rfc3161-client@1.0.3
aliases CVE-2025-52556, GHSA-6qhv-4h7r-2g9m
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7dpv-nbje-yygz
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/rfc3161-client@1.0.3