GHSA-87mp-xc4x-x8rh

Source

https://github.com/advisories/GHSA-87mp-xc4x-x8rh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-87mp-xc4x-x8rh/GHSA-87mp-xc4x-x8rh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-87mp-xc4x-x8rh

Published

2024-05-15T17:47:31Z

Modified

2024-11-29T05:32:28.469089Z

Summary

asymmetricrypt/asymmetricrypt Padding Oracle Vulnerability in RSA Encryption

Details

The encryption and decryption process were vulnerable against the Bleichenbacher's attack, which is a padding oracle vulnerability disclosed in the 98'. The issue was about the wrong padding utilized, which allowed to retrieve the encrypted content. The OPENSSLPKCS1PADDING version, aka PKCS v1.5 was vulnerable (is the one set by default when using openssl_* methods), while the PKCS v2.0 isn't anymore (it's also called OAEP).

A fix for this vulnerability was merged at https://github.com/Cosmicist/AsymmetriCrypt/pull/5/commits/a0318cfc5022f2a7715322dba3ff91d475ace7c6.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-327"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T17:47:31Z"
}

References

Affected packages

Packagist / asymmetricrypt/asymmetricrypt

Package

Name: asymmetricrypt/asymmetricrypt
Purl: pkg:composer/asymmetricrypt/asymmetricrypt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.3.0

Affected versions

0.*

0.1.0

0.2.0

0.2.1

0.3.0