CVE-2017-10668 Information

Description

A Padding Oracle exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 (Java) and OSCI Transport Library 1.6 (.NET). Under an MITM condition within the OSCI infrastructure an attacker needs to send crafted protocol messages to analyse the CBC mode padding in order to decrypt the transport encryption.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://blog.sec-consult.com/2017/06/german-e-government-details-vulnerabilities.html http://seclists.org/fulldisclosure/2017/Jun/44

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.9