CVE-2015-7503: Potential Information Disclosure in Zend\Crypt\PublicKey\Rsa\PublicKey

October 10, 2017 (updated November 5, 2017)

Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which uses PHP’s default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher’s chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.

References

framework.zend.com/security/advisory/ZF2015-10

Detect and mitigate CVE-2015-7503 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →