search

microsoft / react-native-code-push

React Native module for CodePush
http://appcenter.ms
Other
8.92k stars 1.46k forks source link

The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks. nimbusds / MOBSF . com.nimbusds:nimbus-jose-jwt:5.1 #2550

Closed gbashish12556 closed 7 months ago

gbashish12556 commented 1 year ago

Generate APK and analyze it using MOBSF

Environment react-native-code-push version: 6.2.1 react-native version: 0.63.4 version: android 29

I also tried upgrading nimbusds to 9.8.1 which is latest version using patch-package. it did not help.

MOBSF Error:

The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.

Priority : high

CWE: CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking OWASP Top 10: M5: Insufficient Cryptography OWASP MASVS: MSTG-CRYPTO-3

com/nimbusds/jose/crypto/AESCBC.java com/nimbusds/jose/jca/JCASupport.java

AnatolyPristensky commented 7 months ago

@gbashish12556, I'm closing this issue as duplicate of #2533. Let's continue discussion there.