GHSA-87mp-xc4x-x8rh: asymmetricrypt/asymmetricrypt Padding Oracle Vulnerability in RSA Encryption

May 15, 2024

The encryption and decryption process were vulnerable against the Bleichenbacher’s attack, which is a padding oracle vulnerability disclosed in the 98’. The issue was about the wrong padding utilized, which allowed to retrieve the encrypted content. The OPENSSL_PKCS1_PADDING version, aka PKCS v1.5 was vulnerable (is the one set by default when using openssl_* methods), while the PKCS v2.0 isn’t anymore (it’s also called OAEP).

A fix for this vulnerability was merged at https://github.com/Cosmicist/AsymmetriCrypt/pull/5/commits/a0318cfc5022f2a7715322dba3ff91d475ace7c6.

References

github.com/Cosmicist/AsymmetriCrypt
github.com/Cosmicist/AsymmetriCrypt/issues/4
github.com/Cosmicist/AsymmetriCrypt/pull/5
github.com/FriendsOfPHP/security-advisories/blob/master/asymmetricrypt/asymmetricrypt/2017-11-20.yaml
github.com/advisories/GHSA-87mp-xc4x-x8rh

Code Behaviors & Features

Detect and mitigate GHSA-87mp-xc4x-x8rh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →