CVE-2016-0736

2017-07-27T21:29:00
ID CVE-2016-0736
Type cve
Reporter security@apache.org
Modified 2021-06-06T11:15:00

Description

In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.