GHSA-87mp-xc4x-x8rh

Suggest an improvement
Source
https://github.com/advisories/GHSA-87mp-xc4x-x8rh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-87mp-xc4x-x8rh/GHSA-87mp-xc4x-x8rh.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-87mp-xc4x-x8rh
Published
2024-05-15T17:47:31Z
Modified
2024-11-29T05:41:50.206318Z
Summary
asymmetricrypt/asymmetricrypt Padding Oracle Vulnerability in RSA Encryption
Details

The encryption and decryption process were vulnerable against the Bleichenbacher's attack, which is a padding oracle vulnerability disclosed in the 98'. The issue was about the wrong padding utilized, which allowed to retrieve the encrypted content. The OPENSSLPKCS1PADDING version, aka PKCS v1.5 was vulnerable (is the one set by default when using openssl_* methods), while the PKCS v2.0 isn't anymore (it's also called OAEP).

A fix for this vulnerability was merged at https://github.com/Cosmicist/AsymmetriCrypt/pull/5/commits/a0318cfc5022f2a7715322dba3ff91d475ace7c6.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-327"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T17:47:31Z"
}
References

Affected packages

Packagist / asymmetricrypt/asymmetricrypt

Package

Name
asymmetricrypt/asymmetricrypt
Purl
pkg:composer/asymmetricrypt/asymmetricrypt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.3.0

Affected versions

0.*

0.1.0
0.2.0
0.2.1
0.3.0