Plattform
python
Komponente
rfc3161-client
Behoben in
1.0.7
1.0.6
CVE-2026-33753 describes an authorization bypass vulnerability within the rfc3161-client Python library. This flaw allows attackers to impersonate a trusted TimeStamping Authority (TSA), potentially leading to the creation and acceptance of forged timestamps. The vulnerability affects versions of rfc3161-client prior to 1.0.6, and a patch has been released to address the issue.
The impact of this vulnerability is significant, as it allows attackers to forge timestamps issued by trusted TSAs. This could be exploited to create fraudulent digital signatures, potentially compromising the integrity of software updates, legal documents, or any other application relying on timestamped data. An attacker could append a spoofed certificate with a matching common_name and Extended Key Usage (EKU) to a PKCS#7 bag, tricking the library into verifying authorization rules against the forged certificate while the cryptographic signature remains valid against a legitimate TSA. This effectively allows the attacker to issue seemingly legitimate timestamps for malicious purposes, undermining trust in the timestamping process.
CVE-2026-33753 was publicly disclosed on 2026-04-08. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability description suggests a relatively straightforward exploitation path, potentially increasing the likelihood of future exploitation.
Applications and systems relying on rfc3161-client for time stamping services are at risk. This includes systems involved in digital signatures, code signing, and any process requiring verifiable timestamps for regulatory compliance or data integrity. Specifically, organizations using custom integrations with time stamping authorities are particularly vulnerable.
• python / library:
import rfc3161
import hashlib
def check_rfc3161_version():
try:
import rfc3161
print(f"rfc3161-client version: {rfc3161.__version__}")
if rfc3161.__version__ <= '1.0.5':
print("WARNING: Vulnerable to CVE-2026-33753")
else:
print("rfc3161-client is patched.")
except ImportError:
print("rfc3161-client is not installed.")
check_rfc3161_version()disclosure
Exploit-Status
EPSS
0.00% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33753 is to upgrade the rfc3161-client library to version 1.0.6 or later. If upgrading is not immediately feasible, consider implementing stricter certificate validation checks upstream in your application code. This could involve verifying the certificate chain and ensuring the common_name and EKU match expected values. Additionally, consider using a Web Application Firewall (WAF) to inspect incoming PKCS#7 requests and block those containing suspicious certificate structures. After upgrading, confirm the fix by attempting to generate a timestamp with a modified certificate and verifying that the library rejects it.
Aktualisieren Sie die Bibliothek (rfc3161-client) auf Version 1.0.6 oder höher, um die Autorisierungs-Bypass-Schwachstelle zu beheben. Diese Version implementiert eine robustere Zertifikatsvalidierung, die die Manipulation und Verwendung gefälschter Zertifikate für die Zeitstempelung verhindert.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33753 is a medium-severity authorization bypass vulnerability in the rfc3161-client Python library, allowing attackers to impersonate trusted TimeStamping Authorities.
You are affected if you are using rfc3161-client versions 1.0.5 or earlier. Upgrade to 1.0.6 or later to mitigate the risk.
Upgrade to version 1.0.6 or later of the rfc3161-client library using pip: pip install rfc3161-client==1.0.6.
There is currently no evidence of active exploitation, but the vulnerability details are public, increasing the risk of future attacks.
Refer to the project's repository or associated security mailing lists for the official advisory. Check PyPI for the updated package.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.