CVE-2015-7503: Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey
(updated )
Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt()
which uses PHP’s default $padding
argument, which specifies OPENSSL_PKCS1_PADDING
, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher’s chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.
References
Detect and mitigate CVE-2015-7503 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →