Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hardcoded static IV and AAD with a reused key in AES GCM encryption in mod_auth_openidc
Vulnerability Description
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
在加密中重用Nonce与密钥对
Vulnerability Title
mod_auth_openidc 安全特征问题漏洞
Vulnerability Description
mod_auth_openidc是一个应用软件。是 Apache 2.x HTTP 服务器的身份验证/授权模块,用作OpenID Connect 依赖方,根据 OpenID Connect 提供程序对用户进行身份验证。 Zmartzone mod_auth_openidc存在安全漏洞,该漏洞源于 mod_auth_openidc 中的 AES GCM 加密使用静态 IV 和 AAD。这会导致加密问题,因为相同的密钥正在被重用。
CVSS Information
N/A
Vulnerability Type
N/A