Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04N21wLXhjNHgteDhyaM4AA8GI
asymmetricrypt/asymmetricrypt Padding Oracle Vulnerability in RSA Encryption
The encryption and decryption process were vulnerable against the Bleichenbacher's attack, which is a padding oracle vulnerability disclosed in the 98'.
The issue was about the wrong padding utilized, which allowed to retrieve the encrypted content.
The OPENSSL_PKCS1_PADDING version, aka PKCS v1.5 was vulnerable (is the one set by default when using openssl_* methods), while the PKCS v2.0 isn't anymore (it's also called OAEP).
A fix for this vulnerability was merged at https://github.com/Cosmicist/AsymmetriCrypt/pull/5/commits/a0318cfc5022f2a7715322dba3ff91d475ace7c6.
Permalink: https://github.com/advisories/GHSA-87mp-xc4x-x8rhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04N21wLXhjNHgteDhyaM4AA8GI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 7 months ago
Identifiers: GHSA-87mp-xc4x-x8rh
References:
- https://github.com/Cosmicist/AsymmetriCrypt/issues/4
- https://github.com/Cosmicist/AsymmetriCrypt/pull/5
- https://github.com/FriendsOfPHP/security-advisories/blob/master/asymmetricrypt/asymmetricrypt/2017-11-20.yaml
- https://github.com/advisories/GHSA-87mp-xc4x-x8rh
Blast Radius: 0.0
Affected Packages
packagist:asymmetricrypt/asymmetricrypt
Dependent packages: 0Dependent repositories: 12
Downloads: 2,312 total
Affected Version Ranges: <= 0.3.0
No known fixed version
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0