CVE-2017-12972: Insufficient Verification of Data Authenticity

August 20, 2017 (updated November 16, 2019)

There is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.

References

nvd.nist.gov/vuln/detail/CVE-2017-12972

Detect and mitigate CVE-2017-12972 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →