In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
References
Configurations
Configuration 1 (hide)
|
Information
Published : 2017-07-27 14:29
Updated : 2021-06-06 04:15
NVD link : CVE-2016-0736
Mitre link : CVE-2016-0736
JSON object : View
CWE
CWE-310
Cryptographic Issues
Products Affected
apache
- http_server