Description

Manual confirmation is required for this alert.

This script is possibly vulnerable to a Padding Oracle Attack. At Eurocrypt 2002, Vaudenay introduced a powerful side-channel attack, which is called padding oracle attack, against CBC-mode encryption with PKCS#5 padding. If there is an oracle which on receipt of a ciphertext, decrypts it and then replies to the sender whether the padding is correct or not, Vaudenay shows how to use that oracle to efficiently decrypt data without knowing the encryption key.

Remediation

Consult Web References for more information about the padding oracle attack.

References

Practical Padding Oracle Attacks

Automated Padding Oracle Attacks with PadBuster

Related Vulnerabilities

WordPress full path disclosure

WordPress Plugin Tinymce Thumbnail Gallery 'href' Parameter Information Disclosure (1.0.7)

Atlassian Confluence Access Restriction Bypass

Jenkins weak password

RSA Private Key Detected

Severity

High

Classification

CWE-209 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration Error Handling Weak Crypto