org.bouncycastle:bcprov-jdk18on Observable Timing Discrepancy VULNERABILITY #1269
Labels
Comments
|
This is a similar issue than #916. Unfortunately, this is a transitive dependency in WebDriverManager, declared in docker-java. So far, I had so luck asking them to update vulnerable dependencies. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the problem: A vulnerability has been found in io.github.bonigarcia:webdrivermanager@5.7.0 › com.github.docker-java:docker-java@3.3.5 › com.github.docker-java:docker-java-core@3.3.5 › org.bouncycastle:bcpkix-jdk18on@1.76 › org.bouncycastle:bcprov-jdk18on@1.76.
This package is vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via javax.crypto.Cipher exceptions and the OAEP interface vector leaks via the bit size of the decrypted data.
Browser and version: latest chrome browser
Operating system and architecture: amazon linux 2
Selenium version: 4.18
WebDriverManager version: 5.7.0
WebDriverManager call:
WebDriverManager traces:
Error log:
The text was updated successfully, but these errors were encountered: