CVE-2017-10668

{"id": "CVE-2017-10668", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2017-06-30T12:29:00.213", "references": [{"url": "http://blog.sec-consult.com/2017/06/german-e-government-details-vulnerabilities.html", "tags": ["Technical Description", "Third Party Advisory"], "source": "nvd@nist.gov"}, {"url": "http://seclists.org/fulldisclosure/2017/Jun/44", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-327"}]}], "descriptions": [{"lang": "en", "value": "A Padding Oracle exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 (Java) and OSCI Transport Library 1.6 (.NET). Under an MITM condition within the OSCI infrastructure, an attacker needs to send crafted protocol messages to analyse the CBC mode padding in order to decrypt the transport encryption."}, {"lang": "es", "value": "Existe un or\u00e1culo de relleno en OSCI-Transport 1.2, tal y como se emplea en OSCI Transport Library 1.6.1 (Java) y OSCI Transport Library 1.6 (.NET). Bajo una condici\u00f3n MitM en la infraestructura OSCI, un atacante necesita enviar mensajes de protocolo manipulados para analizar el relleno del modo CBC para descifrar el cifrado de transporte."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xoev:osci_transport_library:1.6:*:*:*:.net:*:*:*", "vulnerable": true, "matchCriteriaId": "BC7159A3-28E0-4AE2-A2A5-7B5F44D7305F"}, {"criteria": "cpe:2.3:a:xoev:osci_transport_library:1.6.1:*:*:*:java:*:*:*", "vulnerable": true, "matchCriteriaId": "7F00B66D-46D7-4D58-A1A0-7BA1AD5C0EEE"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}