- changed status to wontfix
Insecure encryption mode CBC with PKCS5
Issue #516
wontfix
There are a few places where an insecure encryption mode is used:
Reference material:
Comments (2)
-
-
Face the same issue, any updated?
- Log in to comment
A padding oracle AES/CBC/HMAC vuln had been detected and fixed in 2017:
https://bitbucket.org/connect2id/nimbus-jose-jwt/src/ff5608a1abf41e10acfedf076d9e87a78f52d07c/SECURITY-CHANGELOG.txt#lines-22
The AES/CBC/HMAC mode is a current JOSE standard and as such it will be supported here. This library also supports AES/GCM and the newer https://connect2id.com/products/nimbus-jose-jwt/examples/jwe-with-xc20p