org.bouncycastle:bcprov-jdk18on Observable Timing Discrepancy VULNERABILITY #1269
Labels
Comments
|
This is a similar issue than #916. Unfortunately, this is a transitive dependency in WebDriverManager, declared in docker-java. So far, I had no luck asking them to update vulnerable dependencies. |
|
I have just released WebDriverManager 5.9.0, which excludes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the problem: A vulnerability has been found in io.github.bonigarcia:[email protected] › com.github.docker-java:[email protected] › com.github.docker-java:[email protected] › org.bouncycastle:[email protected] › org.bouncycastle:[email protected].
This package is vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via javax.crypto.Cipher exceptions and the OAEP interface vector leaks via the bit size of the decrypted data.
Browser and version: latest chrome browser
Operating system and architecture: amazon linux 2
Selenium version: 4.18
WebDriverManager version: 5.7.0
WebDriverManager call:
WebDriverManager traces:
Error log:
The text was updated successfully, but these errors were encountered: