In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2017-07-27T21:00:00Z
Updated: 2024-09-16T17:52:49.825Z
Reserved: 2015-12-16T00:00:00
Link: CVE-2016-0736
Vulnrichment
No data.
NVD
Status : Modified
Published: 2017-07-27T21:29:00.177
Modified: 2024-11-21T02:42:16.817
Link: CVE-2016-0736
Redhat