{"id":"GO-2020-0009","summary":"Integer overflow in github.com/square/go-jose","details":"On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC with HMAC such that they can control how large the input buffer is when computing the HMAC authentication tag. This can can allow a manipulated ciphertext to be verified as authentic, opening the door for padding oracle attacks.","aliases":["CVE-2016-9123","GHSA-3fx4-7f69-5mmg"],"modified":"2024-05-20T16:03:47Z","published":"2021-04-14T20:04:52Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2020-0009"},"references":[{"type":"FIX","url":"https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2016/11/03/1"}],"affected":[{"package":{"name":"github.com/square/go-jose","ecosystem":"Go","purl":"pkg:golang/github.com/square/go-jose"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20160903044734-789a4c4bd4c1"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/square/go-jose/cipher","symbols":["cbcAEAD.Open","cbcAEAD.Seal","cbcAEAD.computeAuthTag"],"goarch":["386","arm","armbe","amd64p32","mips","mipsle","mips64p32","mips64p32le","ppc","riscv","s390","sparc"]},{"path":"github.com/square/go-jose","symbols":["JsonWebEncryption.Decrypt","genericEncrypter.Encrypt","genericEncrypter.EncryptWithAuthData"],"goarch":["386","arm","armbe","amd64p32","mips","mipsle","mips64p32","mips64p32le","ppc","riscv","s390","sparc"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2020-0009.json"}}],"schema_version":"1.7.3","credits":[{"name":"Quan Nguyen from Google's Information Security Engineering Team"}]}