CVE-2013-5960: MAC Bypass in Symmetric Encryption

September 30, 2013 (updated February 4, 2019)

The authenticated-encryption feature in the symmetric-encryption implementation in the this package does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

References

off-the-wall-security.blogspot.ca/2014/03/esapi-no-longer-owasp-flagship-project.html
owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf
www.synacktiv.com/ressources/synacktiv_owasp_esapi_hmac_bypass.pdf
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5960

Code Behaviors & Features

Detect and mitigate CVE-2013-5960 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →