CVE-2026-32600 xml-security is Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption

xml-security is a library that implements XML signatures and encryption. Prior to versions 2.3.1 and 1.13.9, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag,...

CVE-2026-32313 xmlseclibs is Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover...

EUVD-2021-19554

Malware in sbrugna...

GHSA-C7P4-HX26-PR73 JWE is missing AES-GCM authentication tag validation in encrypted JWE

Overview The authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. Impact - JWEs can be modified to decrypt to an arbitrary value - JWEs can be decrypted by observing parsing differences - The...

Alibaba Cloud Linux 3 : 0091: mod_auth_openidc:2.3 (ALINUX3-SA-2023:0091)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2023:0091 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2023-37464: OpenIDC/cjose is a C library...

RHEL 7 : mod_auth_openidc (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - modauthopenidc: open redirect due to targetlinkuri parameter not validated CVE-2021-39191 - modauthopenid...

CentOS 9 : mod_auth_openidc-2.4.9.1-1.el9

The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the modauthopenidc-2.4.9.1-1.el9 build changelog. - open redirect in oidcvalidateredirecturl rhel-9.0 CVE-2021-32786 - hardcoded static IV and AAD with a reused key in AES GCM...

[SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3409-1 [email protected] https://www.debian.org/lts/security/ Adrian Bunk April 30, 2023 https://wiki.debian.org/LTS -...

Gohide - Tunnel Port To Port Traffic Over An Obfuscated Channel With AES-GCM Encryption

Tunnel port to port traffic via an obfuscated channel with AES-GCM encryption. Obfuscation Modes Session Cookie HTTP GET http-client Set-Cookie Session Cookie HTTP/2 200 OK http-server WebSocket Handshake "Sec-WebSocket-Key" websocket-client WebSocket Handshake "Sec-WebSocket-Accept"...

Oracle Linux 8 : mod_auth_openidc:2.3 (ELSA-2022-1823)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-1823 advisory. - Resolves: rhbz1987222 - CVE-2021-32792 XSS when using OIDCPreservePost On - Resolves: rhbz1987216 - CVE-2021-32791 hardcoded static IV and AAD with a...

Moderate: mod_auth_openidc:2.3 security update

The modauthopenidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server. Security Fixes: modauthopenidc: open redirect in oidcvalidateredirecturl CVE-2021-32786...

MGASA-2021-0452 Updated apache-mod_auth_openidc packages fix security vulnerability

In versions prior to 2.4.9, oidcvalidateredirecturl does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. CVE-2021-32786 In modauthopenidc before version 2.4.9, the AES GCM encrypti...

Updated apache-mod_auth_openidc packages fix security vulnerability

In versions prior to 2.4.9, oidcvalidateredirecturl does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. CVE-2021-32786 In modauthopenidc before version 2.4.9, the AES GCM encrypti...

openSUSE: Security Advisory for apache2-mod_auth_openidc (openSUSE-SU-2021:3020-1)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Security update for apache2-mod_auth_openidc (moderate)

openSUSE Security Update: Security update for apache2-modauthopenidc Announcement ID: openSUSE-SU-2021:3020-1 Rating: moderate References: 1188638 1188639 1188848 1188849 Cross-References: CVE-2021-32785 CVE-2021-32786 CVE-2021-32791 CVE-2021-32792 CVSS scores: CVE-2021-32785 SUSE: 5.3...

CVE-2021-32791

A flaw was found in modauthopenidc. The AES GCM encryption uses a static IV and AAD which could lead to other cryptographic attacks. The highest threat from this liability is to data confidentiality...

CVE-2021-32791

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and...

Authentication flaw

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and...

CVE-2021-32791

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and...

GHSA-55XH-53M6-936R Improper Verification of Cryptographic Signature in aws-encryption-sdk-java

Impact This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This update addresses an issue where certain invalid ECDSA signatures incorrectly passed validation. These signatures provide defense in depth...