Skip to content

asymmetricrypt/asymmetricrypt Padding Oracle Vulnerability in RSA Encryption

Moderate severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database

Package

composer asymmetricrypt/asymmetricrypt (Composer)

Affected versions

<= 0.3.0

Patched versions

None

Description

The encryption and decryption process were vulnerable against the Bleichenbacher's attack, which is a padding oracle vulnerability disclosed in the 98'.
The issue was about the wrong padding utilized, which allowed to retrieve the encrypted content.
The OPENSSL_PKCS1_PADDING version, aka PKCS v1.5 was vulnerable (is the one set by default when using openssl_* methods), while the PKCS v2.0 isn't anymore (it's also called OAEP).

A fix for this vulnerability was merged at Cosmicist/AsymmetriCrypt@a0318cf.

References

Published to the GitHub Advisory Database May 15, 2024
Reviewed May 15, 2024

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-87mp-xc4x-x8rh

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.