Published: 30/06/2017 Updated: 03/10/2019

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

A Padding Oracle exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 (Java) and OSCI Transport Library 1.6 (.NET). Under an MITM condition within the OSCI infrastructure, an attacker needs to send crafted protocol messages to analyse the CBC mode padding in order to decrypt the transport encryption.

Vulnerable Product	Search on Vulmon	Subscribe to Product
xoev osci transport library 1.6.1
xoev osci transport library 1.6

German e-gov protocol carries ancient vulns

The Register • Richard Chirgwin • 03 Jul 2017

Dies ist eine Chaos

Germany's e-government system is open to padding oracle attacks and other vulnerabilities because of an insecure communications protocol. According to this SEC-Consult advisory, which landed on Friday, the problems are in the OSCI-Transport Library version 1.2, for which a common implementation is in Java. OSCI, the Online Services Computer Interface, is the foundation of Germany's e-government. It's meant to provide secure, confidential, and legally-binding transmission over untrusted networks ...

CVE-2017-10668

Vulnerability Summary

Recent Articles

References

Vulmon Search

About

Products

Connect