Code injection

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed...

Design/Logic Flaw

jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed...

CVE-2021-29446 Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime

jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed...

CVE-2021-29446

CVE-2021-29446 affects the npm package jose-node-cjs-runtime. In versions before 3.11.4, decryption of AES_CBC_HMAC_SHA2 (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) could leak timing information because HMAC verification and CBC decryption might run in sequence even on a failed path, creating a...

CVE-2021-29445

CVE-2021-29445 affects the npm package jose-node-esm-runtime. In versions prior to 3.11.4, the AES_CBC_HMAC_SHA2 decryption flow would perform HMAC verification and CBC decryption even if one step failed, creating a potential padding oracle due to a timing difference during padding errors. An adv...

CVE-2021-29445 Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed...

CVE-2021-29444 Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime

jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed...

CVE-2021-29444

CVE-2021-29444 affects the npm package jose-browser-runtime. In versions prior to 3.11.4, the AES_CBC_HMAC_SHA2 decryption flow would execute both HMAC verification and CBC decryption even if one failed, enabling a potential padding oracle due to observable timing differences during padding error...

CVE-2021-29443

jose is an npm library providing a number of cryptographic operations. In vulnerable versions AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. A...

Code injection

jose is an npm library providing a number of cryptographic operations. In vulnerable versions AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. A...

CVE-2021-29443 Padding Oracle Attack due to Observable Timing Discrepancy in jose

jose is an npm library providing a number of cryptographic operations. In vulnerable versions AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. A...

CVE-2021-29443

CVE-2021-29443 affects the jose npm library. Vulnerable versions of the library perform HMAC tag verification after attempting CBC decryption, creating a possible padding oracle through observable timing differences during decryption of AES_CBC_HMAC_SHA2 (A128CBC-HS256, A192CBC-HS384, A256CBC-HS5...

Security Bulletin: Multiple vulnerabilities in Bouncy Castle affects Apache Solr shipped with IBM Operations Analytics - Log Analysis

Summary There is various type of vulnerabilities in Bouncy Castle that affect Apache Solr. The list can be found at Vulnerability Details section. Vulnerability Details CVEID: CVE-2018-1000613 DESCRIPTION: Legion of the Bouncy Castle Java Cryptography APIs could allow a remote attacker to execute...

PT-2021-18220 · Unknown · Jose-Node-Esm-Runtime

Name of the Vulnerable Software and Affected Versions: jose-node-esm-runtime versions prior to 3.11.4 Description: The AES CBC HMAC SHA2 Algorithm decryption in the jose-node-esm-runtime package has a timing difference when a padding error occurs, creating a padding oracle. This allows an adversa...

PT-2021-18221 · Unknown · Jose-Node-Cjs-Runtime

Name of the Vulnerable Software and Affected Versions: jose-node-cjs-runtime versions prior to 3.11.4 Description: The AES CBC HMAC SHA2 Algorithm decryption in the jose-node-cjs-runtime package has a timing difference when a padding error occurs, creating a padding oracle. This allows an adversa...

PT-2021-18219 · Unknown · Jose-Browser-Runtime

Name of the Vulnerable Software and Affected Versions: jose-browser-runtime versions prior to 3.11.4 Description: The AES CBC HMAC SHA2 Algorithm decryption in jose-browser-runtime has a padding oracle vulnerability. This occurs because a possibly observable difference in timing when a padding...

GO-2020-0009 Integer overflow in github.com/square/go-jose

On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC with HMAC such that they can control how large the input buffer is when computing the HMAC authentication tag. This can can allow a manipulated ciphertext to be verified as authentic, opening the door for padding...

USN-4504-1: OpenSSL vulnerabilities | Cloud Foundry

Severity Low Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Redhat Jboss_Enterprise_Application_Platform

PoC exploit for CVE-2016-2183, a Padding Oracle vulnerability in Apache Shiro. The exploit targets the RCE Remote Code Execution vector, leveraging the Padding Oracle attack to bypass encryption and inject arbitrary data. The probable entry point is the shirooraclepadding.py script, which is...

Lennyniu Tlslite-ng Encryption Problem Vulnerability

Lennyniu Tlslite-ng is a Python-based codebase used to provide SSLv3.0, TLS 1.0, TLS 1.1 and TLS 1.2 by the individual developer Lennyniu. A cryptographically problematic vulnerability previously existed in tlslite-ng 0.7.6 and 0.8.0-alpha39, which stemmed from code that relied on data to perform...