The encryption and decryption process were vulnerable against the Bleichenbacherβs attack, which is a padding oracle vulnerability disclosed in the 98β.
The issue was about the wrong padding utilized, which allowed to retrieve the encrypted content.
The OPENSSL_PKCS1_PADDING version, aka PKCS v1.5 was vulnerable (is the one set by default when using openssl_* methods), while the PKCS v2.0 isnβt anymore (itβs also called OAEP).
A fix for this vulnerability was merged at https://github.com/Cosmicist/AsymmetriCrypt/pull/5/commits/a0318cfc5022f2a7715322dba3ff91d475ace7c6.
CPE | Name | Operator | Version |
---|---|---|---|
asymmetricrypt/asymmetricrypt | le | 0.3.0 |