SYM_JSTS_0159 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Cryptographic Issues
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-310: CWE CATEGORY: Cryptographic Issues |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.