CWE-354
AllowedImproper Validation of Integrity Check Value
Abstraction: Base · Status: Draft
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.
231 vulnerabilities reference this CWE, most recent first.
GHSA-45X7-PX36-X8W8
Vulnerability from github – Published: 2023-12-18 19:22 – Updated: 2026-05-13 15:24Summary
Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.
Mitigations
To mitigate this protocol vulnerability, OpenSSH suggested a so-called "strict kex" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes.
Warning: To take effect, both the client and server must support this countermeasure.
As a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available.
Details
The SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario.
The attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange.
In the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message's sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers.
For more details see https://terrapin-attack.com.
Impact
This attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "russh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.40.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "0.17.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "paramiko"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20231218163308-9d2ee975ef9f"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-48795"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-354"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-18T19:22:09Z",
"nvd_published_at": "2023-12-18T16:15:10Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nTerrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH\u0027s secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.\n\n### Mitigations\n\nTo mitigate this protocol vulnerability, OpenSSH suggested a so-called \"strict kex\" which alters the SSH handshake to ensure a Man-in-the-Middle attacker cannot introduce unauthenticated messages as well as convey sequence number manipulation across handshakes.\n\n**Warning: To take effect, both the client and server must support this countermeasure.** \n\nAs a stop-gap measure, peers may also (temporarily) disable the affected algorithms and use unaffected alternatives like AES-GCM instead until patches are available.\n\n### Details\n\nThe SSH specifications of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com MACs) are vulnerable against an arbitrary prefix truncation attack (a.k.a. Terrapin attack). This allows for an extension negotiation downgrade by stripping the SSH_MSG_EXT_INFO sent after the first message after SSH_MSG_NEWKEYS, downgrading security, and disabling attack countermeasures in some versions of OpenSSH. When targeting Encrypt-then-MAC, this attack requires the use of a CBC cipher to be practically exploitable due to the internal workings of the cipher mode. Additionally, this novel attack technique can be used to exploit previously unexploitable implementation flaws in a Man-in-the-Middle scenario.\n\nThe attack works by an attacker injecting an arbitrary number of SSH_MSG_IGNORE messages during the initial key exchange and consequently removing the same number of messages just after the initial key exchange has concluded. This is possible due to missing authentication of the excess SSH_MSG_IGNORE messages and the fact that the implicit sequence numbers used within the SSH protocol are only checked after the initial key exchange.\n\nIn the case of ChaCha20-Poly1305, the attack is guaranteed to work on every connection as this cipher does not maintain an internal state other than the message\u0027s sequence number. In the case of Encrypt-Then-MAC, practical exploitation requires the use of a CBC cipher; while theoretical integrity is broken for all ciphers when using this mode, message processing will fail at the application layer for CTR and stream ciphers.\n\nFor more details see [https://terrapin-attack.com](https://terrapin-attack.com). \n\n### Impact\n\nThis attack targets the specification of ChaCha20-Poly1305 (chacha20-poly1305@openssh.com) and Encrypt-then-MAC (*-etm@openssh.com), which are widely adopted by well-known SSH implementations and can be considered de-facto standard. These algorithms can be practically exploited; however, in the case of Encrypt-Then-MAC, we additionally require the use of a CBC cipher. As a consequence, this attack works against all well-behaving SSH implementations supporting either of those algorithms and can be used to downgrade (but not fully strip) connection security in case SSH extension negotiation (RFC8308) is supported. The attack may also enable attackers to exploit certain implementation flaws in a man-in-the-middle (MitM) scenario.",
"id": "GHSA-45x7-px36-x8w8",
"modified": "2026-05-13T15:24:57Z",
"published": "2023-12-18T19:22:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/warp-tech/russh/security/advisories/GHSA-45x7-px36-x8w8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795"
},
{
"type": "WEB",
"url": "https://github.com/ssh-mitm/ssh-mitm/issues/165"
},
{
"type": "WEB",
"url": "https://github.com/hierynomus/sshj/issues/916"
},
{
"type": "WEB",
"url": "https://github.com/janmojzis/tinyssh/issues/81"
},
{
"type": "WEB",
"url": "https://github.com/cyd01/KiTTY/issues/520"
},
{
"type": "WEB",
"url": "https://github.com/proftpd/proftpd/issues/456"
},
{
"type": "WEB",
"url": "https://github.com/apache/mina-sshd/issues/445"
},
{
"type": "WEB",
"url": "https://github.com/paramiko/paramiko/issues/2337#issuecomment-1887642773"
},
{
"type": "WEB",
"url": "https://github.com/paramiko/paramiko/issues/2337"
},
{
"type": "WEB",
"url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189"
},
{
"type": "WEB",
"url": "https://github.com/mwiede/jsch/issues/457"
},
{
"type": "WEB",
"url": "https://github.com/libssh2/libssh2/pull/1291"
},
{
"type": "WEB",
"url": "https://github.com/NixOS/nixpkgs/pull/275249"
},
{
"type": "WEB",
"url": "https://github.com/mwiede/jsch/pull/461"
},
{
"type": "WEB",
"url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0"
},
{
"type": "WEB",
"url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3"
},
{
"type": "WEB",
"url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab"
},
{
"type": "WEB",
"url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5"
},
{
"type": "WEB",
"url": "https://github.com/warp-tech/russh/commit/1aa340a7df1d5be1c0f4a9e247aade76dfdd2951"
},
{
"type": "WEB",
"url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d"
},
{
"type": "WEB",
"url": "https://oryx-embedded.com/download/#changelog"
},
{
"type": "WEB",
"url": "https://nova.app/releases/#v11.8"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=38732005"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002"
},
{
"type": "WEB",
"url": "https://roumenpetrov.info/secsh/#news20231220"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2023-48795"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/source-package/libssh2"
},
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB"
},
{
"type": "WEB",
"url": "https://matt.ucc.asn.au/dropbear/CHANGES"
},
{
"type": "WEB",
"url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=38684904"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=38685286"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit"
},
{
"type": "WEB",
"url": "https://www.vandyke.com/products/securecrt/history.txt"
},
{
"type": "WEB",
"url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh"
},
{
"type": "WEB",
"url": "https://www.terrapin-attack.com"
},
{
"type": "WEB",
"url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795"
},
{
"type": "WEB",
"url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed"
},
{
"type": "WEB",
"url": "https://www.paramiko.org/changelog.html"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/12/20/3"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"
},
{
"type": "WEB",
"url": "https://www.openssh.com/txt/release-9.6"
},
{
"type": "WEB",
"url": "https://www.openssh.com/openbsd.html"
},
{
"type": "WEB",
"url": "https://www.netsarang.com/en/xshell-update-history"
},
{
"type": "WEB",
"url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508"
},
{
"type": "WEB",
"url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5588"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5586"
},
{
"type": "WEB",
"url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update"
},
{
"type": "WEB",
"url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html"
},
{
"type": "WEB",
"url": "https://www.bitvise.com/ssh-server-version-history"
},
{
"type": "WEB",
"url": "https://www.bitvise.com/ssh-client-version-history#933"
},
{
"type": "WEB",
"url": "https://winscp.net/eng/docs/history#6.2.2"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/CVE-2023-48795"
},
{
"type": "WEB",
"url": "https://twitter.com/TrueSkrillor/status/1736774389725565005"
},
{
"type": "WEB",
"url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214084"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240105-0004"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202312-17"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202312-16"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg"
},
{
"type": "WEB",
"url": "https://github.com/rapier1/hpn-ssh/releases"
},
{
"type": "WEB",
"url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES"
},
{
"type": "WEB",
"url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES"
},
{
"type": "WEB",
"url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES"
},
{
"type": "WEB",
"url": "https://github.com/openssh/openssh-portable/commits/master"
},
{
"type": "WEB",
"url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16"
},
{
"type": "WEB",
"url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15"
},
{
"type": "WEB",
"url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25"
},
{
"type": "WEB",
"url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1"
},
{
"type": "WEB",
"url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42"
},
{
"type": "WEB",
"url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6"
},
{
"type": "WEB",
"url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-45x7-px36-x8w8"
},
{
"type": "WEB",
"url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1"
},
{
"type": "WEB",
"url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta"
},
{
"type": "WEB",
"url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10\u0026id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
},
{
"type": "WEB",
"url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack"
},
{
"type": "WEB",
"url": "https://filezilla-project.org/versions.php"
},
{
"type": "WEB",
"url": "https://crates.io/crates/thrussh/versions"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-915275.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-794697.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-769027.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-364175.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/920280"
},
{
"type": "WEB",
"url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2023-48795"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00032.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"
},
{
"type": "WEB",
"url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795"
},
{
"type": "WEB",
"url": "https://help.panic.com/releasenotes/transmit5"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ"
},
{
"type": "WEB",
"url": "https://go.dev/issue/64784"
},
{
"type": "WEB",
"url": "https://go.dev/cl/550715"
},
{
"type": "WEB",
"url": "https://gitlab.com/libssh/libssh-mirror/-/tags"
},
{
"type": "WEB",
"url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2"
},
{
"type": "PACKAGE",
"url": "https://github.com/warp-tech/russh"
},
{
"type": "WEB",
"url": "https://github.com/ronf/asyncssh/tags"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/12/18/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/12/19/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/12/20/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/17/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin"
}
GHSA-47X9-8RM9-JCX3
Vulnerability from github – Published: 2023-07-12 15:30 – Updated: 2024-04-04 06:04DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover accounts on shared computers.
{
"affected": [],
"aliases": [
"CVE-2023-33668"
],
"database_specific": {
"cwe_ids": [
"CWE-354"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T13:15:09Z",
"severity": "CRITICAL"
},
"details": "DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover accounts on shared computers.",
"id": "GHSA-47x9-8rm9-jcx3",
"modified": "2024-04-04T06:04:01Z",
"published": "2023-07-12T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33668"
},
{
"type": "WEB",
"url": "https://github.com/lodi-g/CVE-2023-33668"
},
{
"type": "WEB",
"url": "http://digiexam.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-48CV-XV53-CGJF
Vulnerability from github – Published: 2023-07-06 03:30 – Updated: 2024-04-04 05:25Improper validation of integrity check vulnerability in Smart Switch PC prior to version 4.3.23052_1 allows local attackers to delete arbitrary directory using directory junction.
{
"affected": [],
"aliases": [
"CVE-2023-30673"
],
"database_specific": {
"cwe_ids": [
"CWE-354"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-06T03:15:12Z",
"severity": "MODERATE"
},
"details": "Improper validation of integrity check vulnerability in Smart Switch PC prior to version 4.3.23052_1 allows local attackers to delete arbitrary directory using directory junction.",
"id": "GHSA-48cv-xv53-cgjf",
"modified": "2024-04-04T05:25:42Z",
"published": "2023-07-06T03:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30673"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4CQJ-VG46-4946
Vulnerability from github – Published: 2024-12-27 12:30 – Updated: 2024-12-27 12:30There is an insufficient integrity vulnerability in Huawei products. A module does not perform sufficient integrity check in a specific scenario. Attackers can exploit the vulnerability by physically install malware. This could compromise normal service of the affected device. (Vulnerability ID: HWPSIRT-2020-00145)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9210.
{
"affected": [],
"aliases": [
"CVE-2020-9210"
],
"database_specific": {
"cwe_ids": [
"CWE-354"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T10:15:14Z",
"severity": "MODERATE"
},
"details": "There is an insufficient integrity vulnerability in Huawei products. A module does not perform sufficient integrity check in a specific scenario. Attackers can exploit the vulnerability by physically install malware. This could compromise normal service of the affected device. (Vulnerability ID: HWPSIRT-2020-00145)\n\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9210.",
"id": "GHSA-4cqj-vg46-4946",
"modified": "2024-12-27T12:30:35Z",
"published": "2024-12-27T12:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9210"
},
{
"type": "WEB",
"url": "https://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20210106-01-myna-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4H98-2769-GH6H
Vulnerability from github – Published: 2022-08-18 19:00 – Updated: 2022-08-18 19:00Impact
The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issue for the functions that take a single bytes argument, and not the functions that take r, v, s or r, vs as separate arguments.
The potentially affected contracts are those that implement signature reuse or replay protection by marking the signature itself as used rather than the signed message or a nonce included in it. A user may take a signature that has already been submitted, submit it again in a different form, and bypass this protection.
Patches
The issue has been patched in 4.7.3.
For more information
If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at security@openzeppelin.com.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@openzeppelin/contracts"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@openzeppelin/contracts-upgradeable"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35961"
],
"database_specific": {
"cwe_ids": [
"CWE-354"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-18T19:00:43Z",
"nvd_published_at": "2022-08-15T11:21:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe functions `ECDSA.recover` and `ECDSA.tryRecover` are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issue for the functions that take a single `bytes` argument, and not the functions that take `r, v, s` or `r, vs` as separate arguments.\n\nThe potentially affected contracts are those that implement signature reuse or replay protection by marking the signature itself as used rather than the signed message or a nonce included in it. A user may take a signature that has already been submitted, submit it again in a different form, and bypass this protection.\n\n### Patches\n\nThe issue has been patched in 4.7.3.\n\n\n### For more information\n\nIf you have any questions or comments about this advisory, or need assistance deploying a fix, email us at [security@openzeppelin.com](mailto:security@openzeppelin.com).\n",
"id": "GHSA-4h98-2769-gh6h",
"modified": "2022-08-18T19:00:43Z",
"published": "2022-08-18T19:00:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4h98-2769-gh6h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35961"
},
{
"type": "WEB",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3610"
},
{
"type": "WEB",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/d693d89d99325f395182e4f547dbf5ff8e5c3c87"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts"
},
{
"type": "WEB",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.7.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenZeppelin Contracts vulnerable to ECDSA signature malleability"
}
GHSA-4JGC-CJ59-F9MM
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-10 18:31Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery.
Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability.
If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker.
The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
{
"affected": [],
"aliases": [
"CVE-2026-34181"
],
"database_specific": {
"cwe_ids": [
"CWE-354"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:04Z",
"severity": "HIGH"
},
"details": "Issue Summary: The PKCS#12 file processing fails to perform sufficient input\nvalidation for files that use Password-Based Message Authentication Code 1\n(PBMAC1) integrity mechanism allowing a certificate and private key forgery.\n\nImpact Summary: An attacker impersonating a user can cause a service reading\nPKCS#12 files to accept forged certificates and private keys with a 1 in 256\nprobability.\n\nIf a service accepting PKCS#12 files is using passwords for authenticating\nthe received files, the attacker can create unencrypted PKCS#12 files that\nuse PBMAC1 authentication that specifies an HMAC key of only one byte, allowing\nthem to craft a file that will be accepted with a 1 in 256 probability.\nThat would then cause the service to accept a certificate and private key\ncontrolled by the attacker.\n\nThe FIPS modules are not affected by this issue, as the affected code is\noutside the OpenSSL FIPS module boundary.",
"id": "GHSA-4jgc-cj59-f9mm",
"modified": "2026-06-10T18:31:40Z",
"published": "2026-06-09T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34181"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/0300eb9ddce7a0895bf301a4b0c03a9da2313a0f"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/79eb76a937e474bb7610a0a3dc57131dc8dc6610"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/85dcbb3abaa4878af5c8fbbe11bce708fcf984a7"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/ec36f2417c4ddd8cabce4b4a60a3d7a7365f2d81"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/0300eb9ddce7a0895bf301a4b0c03a9da2313a0f"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/79eb76a937e474bb7610a0a3dc57131dc8dc6610"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/85dcbb3abaa4878af5c8fbbe11bce708fcf984a7"
},
{
"type": "WEB",
"url": "https://github.com/openssl/security/commit/ec36f2417c4ddd8cabce4b4a60a3d7a7365f2d81"
},
{
"type": "WEB",
"url": "https://openssl-library.org/news/secadv/20260609.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4Q7Q-6WXM-5V68
Vulnerability from github – Published: 2024-01-23 21:30 – Updated: 2024-01-31 18:31Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5afc928c allows malicious users to create a backdoor by redirecting the device to an attacker-controlled machine which serves the manipulated firmware file. The device is updated with the manipulated firmware.
{
"affected": [],
"aliases": [
"CVE-2023-42143"
],
"database_specific": {
"cwe_ids": [
"CWE-354"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-23T20:15:45Z",
"severity": "MODERATE"
},
"details": "Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5afc928c allows malicious users to create a backdoor by redirecting the device to an attacker-controlled machine which serves the manipulated firmware file. The device is updated with the manipulated firmware.",
"id": "GHSA-4q7q-6wxm-5v68",
"modified": "2024-01-31T18:31:23Z",
"published": "2024-01-23T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42143"
},
{
"type": "WEB",
"url": "https://www.kth.se/cs/nse/research/software-systems-architecture-and-security/projects/ethical-hacking-1.1279219"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4V26-V6CG-G6F9
Vulnerability from github – Published: 2026-03-13 20:04 – Updated: 2026-03-16 22:01Summary
XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts without knowing the encryption key.
Details
When decrypting with either aes-128-gcm, aes-192-gcm, or aes-256-gcm here, the $authTag is set from a substr(), but never has its length validated (it should be validated with something like strlen($authTag) == self::AUTHTAG_LENGTH).
For that reason, a shorter than expected data blob will allow for the $authTag to have as short a tag as only one byte (see PHP's documentation).
See this example:
function test($data) {
$ivSize = 12;
$tagSize = 16;
$iv = substr($data, 0, $ivSize);
$data = substr($data, $ivSize);
$offset = 0 - $tagSize;
$tag = substr($data, $offset);
$ct = substr($data, 0, $offset);
echo 'IV: "' . $iv . '"' . PHP_EOL;
echo 'Tag: "' . $tag . '"' . PHP_EOL;
echo 'CT: "' . $ct . '"' . PHP_EOL;
}
/* Outputs:
php > test('myNonceNoncet');
IV: "myNonceNonce"
Tag: "t"
CT: ""
php > test('myNonceNonceta');
IV: "myNonceNonce"
Tag: "ta"
CT: ""
php > test('myNonceNoncetag');
IV: "myNonceNonce"
Tag: "tag"
CT: ""
*/
With a legit ciphertext in hand, this is enough to recover the GHASH key. With that key, any authenticated tags can be computed offline which allows for decryption of the ciphertext and forgery of arbitrary ciphertexts.
PoC
- Setup a server expecting XML with an encrypted assertion
- Run this php script poc.php with
php -S 127.0.0.1:8888(taken from this saml test case) - The script expects this private key: sp-private-key.pem.
- Run this php script poc.php with
- Create an XML document with an encrypted assertion (encrypted with
aes-256-gcm)- Here is the
SAMLResponseused in the video below: saml_response.txt
- Here is the
Note: The steps from 3 to 6 are implemented in this exploit script: nonce_reuse_with_fmt_val_oracle.py.
You can run the script with sage -python nonce_reuse_with_fmt_val_oracle.py -s 'url-encoded_and_base64-encoded_samlresponse'
- Take the content of the
<xenc:CipherValue>node and apply the following modifications- Base64-decode the content
- Take the first 12 bytes and save them as the nonce
- Take the last 16 bytes and save them as the tag
- Now brute-force the tag of an empty ciphertext
- Loop through all 256 possible byte values (let's call that
byte_tag_attempt) - Concatenate together the nonce and the
byte_tag_attempt - Base64-encode the result
- Replace the content of the
<xenc:CipherValue>node with this result - On http errors 500, we learn that the tag is valid
- Do the same for the next byte of the tag until all 16 bytes have been brute-forced
- Loop through all 256 possible byte values (let's call that
- With this new tag and the empty ciphertext, compute the GHASH key (the way to do this has been described in this blog post)
- Use this GHASH key to compute authentication tags offline for arbitrary ciphertexts
- Decryption is done by observing XML parsing errors that occur after modifying the ciphertext, those can be seen as http errors 500
Impact
The general impact is: - XML nodes encrypted with AES-GCM can be decrypted by observing parsing differences - XML nodes encrypted with AES-GCM can be modified to decrypt to an arbitrary value - The GCM internal GHASH key can be recovered
In cases where the encryption key is embedded in the XML and is encrypted with the Service Provider's public key (like often done with SAML), the last two items don't have a big impact.
This is because:
- With the Service Provider's public key, an arbitrary ciphertext can be created with a known symmetric key
- The symmetric keys are generated on the fly every time the IdP creates a new SAMLResponse
In any case, secrets that are embedded in the XML, whether coming from an IdP, or from another scheme, can be decrypted.
Important: If static symmetric keys are used, as the GHASH key could have leaked, you must rotate those keys.
References
For additional information on the issue, you can refer to this blog post about the OpenSSL issue and how it can be exploited.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "robrichards/xmlseclibs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32313"
],
"database_specific": {
"cwe_ids": [
"CWE-354"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:04:21Z",
"nvd_published_at": "2026-03-16T14:19:33Z",
"severity": "HIGH"
},
"details": "### Summary\nXML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length.\nAn attacker can use this to brute-force an authentication tag, recover the [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=%29%20is%20the-,hash%20key,-%2C%20a%20string%20of), and decrypt the encrypted nodes.\nIt also allows to forge arbitrary ciphertexts without knowing the encryption key.\n\n### Details\nWhen decrypting with either aes-128-gcm, aes-192-gcm, or aes-256-gcm [here](https://github.com/robrichards/xmlseclibs/blob/2bdfd742624d739dfadbd415f00181b4a77aaf07/src/XMLSecurityKey.php#L467-L479), the `$authTag` is set from a `substr()`, but never has its length validated (it should be validated with something like `strlen($authTag) == self::AUTHTAG_LENGTH`).\nFor that reason, a shorter than expected data blob will allow for the `$authTag` to have as short a tag as only one byte (see [PHP\u0027s documentation](https://www.php.net/manual/en/function.openssl-decrypt.php#:~:text=The%20length%20of%20the%20tag%20is%20not%20checked%20by%20the%20function.%20It%20is%20the%20caller%27s%20responsibility%20to%20ensure%20that%20the%20length%20of%20the%20tag%20matches%20the%20length%20of%20the%20tag%20retrieved%20when%20openssl_encrypt()%20has%20been%20called.%20Otherwise%20the%20decryption%20may%20succeed%20if%20the%20given%20tag%20only%20matches%20the%20start%20of%20the%20proper%20tag.)).\n\nSee this example:\n```php\nfunction test($data) {\n $ivSize = 12;\n $tagSize = 16;\n\n $iv = substr($data, 0, $ivSize);\n $data = substr($data, $ivSize);\n $offset = 0 - $tagSize;\n $tag = substr($data, $offset);\n $ct = substr($data, 0, $offset);\n\n echo \u0027IV: \"\u0027 . $iv . \u0027\"\u0027 . PHP_EOL;\n echo \u0027Tag: \"\u0027 . $tag . \u0027\"\u0027 . PHP_EOL;\n echo \u0027CT: \"\u0027 . $ct . \u0027\"\u0027 . PHP_EOL;\n}\n\n/* Outputs:\nphp \u003e test(\u0027myNonceNoncet\u0027);\nIV: \"myNonceNonce\"\nTag: \"t\"\nCT: \"\"\nphp \u003e test(\u0027myNonceNonceta\u0027);\nIV: \"myNonceNonce\"\nTag: \"ta\"\nCT: \"\"\nphp \u003e test(\u0027myNonceNoncetag\u0027);\nIV: \"myNonceNonce\"\nTag: \"tag\"\nCT: \"\"\n*/\n```\n\nWith a legit ciphertext in hand, this is enough to recover the [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=%29%20is%20the-,hash%20key,-%2C%20a%20string%20of).\nWith that key, any authenticated tags can be computed offline which allows for decryption of the ciphertext and forgery of arbitrary ciphertexts.\n\n### PoC\n1. Setup a server expecting XML with an encrypted assertion\n - Run this php script [poc.php](https://github.com/user-attachments/files/24426600/poc.php.txt) with `php -S 127.0.0.1:8888` (taken from [this saml test case](https://github.com/robrichards/xmlseclibs/blob/69fd63080bc47a8d51bc101c30b7cb756862d1d6/tests/saml/saml-decrypt.phpt#L62))\n - The script expects this private key: [sp-private-key.pem.](https://github.com/user-attachments/files/24426620/sp-private-key.pem.txt)\n2. Create an XML document with an encrypted assertion (encrypted with `aes-256-gcm`)\n - Here is the `SAMLResponse` used in the video below: [saml_response.txt](https://github.com/user-attachments/files/24426638/saml_response.txt)\n\n**Note:** The steps from 3 to 6 are implemented in this exploit script: [nonce_reuse_with_fmt_val_oracle.py](https://github.com/user-attachments/files/24426645/nonce_reuse_with_fmt_val_oracle.py).\nYou can run the script with `sage -python nonce_reuse_with_fmt_val_oracle.py -s \u0027url-encoded_and_base64-encoded_samlresponse\u0027`\n\n3. Take the content of the `\u003cxenc:CipherValue\u003e` node and apply the following modifications\n 1. Base64-decode the content\n 2. Take the first 12 bytes and save them as the nonce\n 3. Take the last 16 bytes and save them as the tag\n 4. Now brute-force the tag of an empty ciphertext\n 1. Loop through all 256 possible byte values (let\u0027s call that `byte_tag_attempt`)\n 2. Concatenate together the nonce and the `byte_tag_attempt`\n 3. Base64-encode the result\n 4. Replace the content of the `\u003cxenc:CipherValue\u003e` node with this result\n 5. On http errors 500, we learn that the tag is valid\n 6. Do the same for the next byte of the tag until all 16 bytes have been brute-forced\n4. With this new tag and the empty ciphertext, compute the [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=%29%20is%20the-,hash%20key,-%2C%20a%20string%20of) (the way to do this has been described in this [blog post](https://frereit.de/aes_gcm/))\n5. Use this [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=%29%20is%20the-,hash%20key,-%2C%20a%20string%20of) to compute authentication tags offline for arbitrary ciphertexts\n6. Decryption is done by observing XML parsing errors that occur after modifying the ciphertext, those can be seen as http errors 500\n\n[poc.webm](https://github.com/user-attachments/assets/2f6e4a7e-4384-4350-b423-7ddd77aa9152)\n\n\n### Impact\nThe general impact is:\n- XML nodes encrypted with AES-GCM can be decrypted by observing parsing differences\n- XML nodes encrypted with AES-GCM can be modified to decrypt to an arbitrary value\n- The GCM internal [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=%29%20is%20the-,hash%20key,-%2C%20a%20string%20of) can be recovered\n\nIn cases where the encryption key is embedded in the XML and is encrypted with the Service Provider\u0027s public key (like often done with SAML), the last two items don\u0027t have a big impact.\nThis is because: \n- With the Service Provider\u0027s public key, an arbitrary ciphertext can be created with a known symmetric key\n- The symmetric keys are generated on the fly every time the IdP creates a new `SAMLResponse`\n\nIn any case, secrets that are embedded in the XML, whether coming from an IdP, or from another scheme, can be decrypted.\n\n**Important:** If static symmetric keys are used, as the [GHASH key](https://en.wikipedia.org/wiki/Galois/Counter_Mode#:~:text=%29%20is%20the-,hash%20key,-%2C%20a%20string%20of) could have leaked, you must rotate those keys.\n\n### References\nFor additional information on the issue, you can refer to this [blog post](https://sideni.xyz/posts/exploiting_openssl_api/) about the OpenSSL issue and how it can be exploited.",
"id": "GHSA-4v26-v6cg-g6f9",
"modified": "2026-03-16T22:01:02Z",
"published": "2026-03-13T20:04:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-4v26-v6cg-g6f9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32313"
},
{
"type": "WEB",
"url": "https://github.com/robrichards/xmlseclibs/commit/03062be78178cbb5e8f605cd255dc32a14981f92"
},
{
"type": "PACKAGE",
"url": "https://github.com/robrichards/xmlseclibs"
},
{
"type": "WEB",
"url": "https://github.com/robrichards/xmlseclibs/releases/tag/3.1.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption"
}
GHSA-4XM5-4W7J-J8QM
Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2025-05-06 21:30An issue was discovered in osquery. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute. This issue affects osquery prior to v3.2.7
{
"affected": [],
"aliases": [
"CVE-2018-6336"
],
"database_specific": {
"cwe_ids": [
"CWE-354"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-31T19:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in osquery. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute. This issue affects osquery prior to v3.2.7",
"id": "GHSA-4xm5-4w7j-j8qm",
"modified": "2025-05-06T21:30:36Z",
"published": "2022-05-13T01:16:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6336"
},
{
"type": "WEB",
"url": "https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-56MC-FPWX-P947
Vulnerability from github – Published: 2025-01-17 21:31 – Updated: 2025-01-18 00:30A new feature to prevent Firmware downgrades was recently added to some Lexmark products. A method to override this downgrade protection has been identified.
{
"affected": [],
"aliases": [
"CVE-2023-50738"
],
"database_specific": {
"cwe_ids": [
"CWE-354"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-17T21:15:09Z",
"severity": "CRITICAL"
},
"details": "A\u00a0new feature to prevent Firmware downgrades was recently added to some Lexmark products. A method to \noverride this downgrade protection has been identified.",
"id": "GHSA-56mc-fpwx-p947",
"modified": "2025-01-18T00:30:48Z",
"published": "2025-01-17T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50738"
},
{
"type": "WEB",
"url": "https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Ensure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used.
CAPEC-145: Checksum Spoofing
An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an adversary modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the adversary) in the message. This would prevent the recipient from realizing that a change occurred.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.