blob: 1134475fbb4e737b5d957ef6e730623caf6ed48b [file] [log] [blame]
module = "github.com/square/go-jose"
package = "github.com/square/go-jose/cipher"
arch = [
"386",
"arm",
"armbe",
"amd64p32",
"mips",
"mipsle",
"mips64p32",
"mips64p32le",
"ppc",
"riscv",
"s390",
"sparc"
]
description = """
On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC
with HMAC such that they can control how large the input buffer is when computing
the HMAC authentication tag. This can can allow a manipulated ciphertext to be
verified as authentic, opening the door for padding oracle attacks.
"""
cve = "CVE-2016-9123"
credit = "Quan Nguyen from Google's Information Security Engineering Team"
symbols = ["cbcAEAD.computeAuthTag"]
published = "2021-04-14T12:00:00Z"
[[versions]]
fixed = "v0.0.0-20160903044734-789a4c4bd4c1"
[[additional_packages]]
module = "github.com/square/go-jose"
symbols = ["JsonWebEncryption.Decrypt", "JsonWebEncryption.DecryptMulti"]
[links]
commit = "https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96"
context = ["https://www.openwall.com/lists/oss-security/2016/11/03/1"]