GHSA-87mp-xc4x-x8rh: asymmetricrypt/asymmetricrypt Padding Oracle Vulnerability in RSA Encryption
The encryption and decryption process were vulnerable against the Bleichenbacher’s attack, which is a padding oracle vulnerability disclosed in the 98’. The issue was about the wrong padding utilized, which allowed to retrieve the encrypted content. The OPENSSL_PKCS1_PADDING version, aka PKCS v1.5 was vulnerable (is the one set by default when using openssl_* methods), while the PKCS v2.0 isn’t anymore (it’s also called OAEP).
A fix for this vulnerability was merged at https://github.com/Cosmicist/AsymmetriCrypt/pull/5/commits/a0318cfc5022f2a7715322dba3ff91d475ace7c6.
References
Detect and mitigate GHSA-87mp-xc4x-x8rh with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →