Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-0736

CWE-310CWE-287Improper Authentication15 documents11 sources
Severity
7.5HIGH
EPSS
41.7%
top 2.58%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Software Foundation Apache Http ServerApache Http Server
Timeline
PublishedJul 27
Latest updateMay 13

Description

In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDapache/http_server17 versions+16
Debianapache2< 2.4.25-1+3
Ubuntuapache2< 2.4.7-1ubuntu4.15+1

🔴Vulnerability Details

5
GHSA
GHSA-mxm5-vg5c-rx7v: In Apache HTTP Server versions 22022-05-13
OSV
CVE-2016-0736: In Apache HTTP Server versions 22017-07-27
CVEList
CVE-2016-0736: In Apache HTTP Server versions 22017-07-27
OSV
apache2 vulnerabilities2017-05-09
VulnCheck
Apache HTTP Server versions 2.4.0 to 2.4.23 mod_session_crypto Vulnerability2016

💥Exploits & PoCs

1
Exploit-DB
Apache mod_session_crypto - Padding Oracle2016-12-23

📋Vendor Advisories

6
Apple
CVE-2016-0736: macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan2017-10-31
Apple
CVE-2016-0736: macOS High Sierra 10.132017-09-25
Ubuntu
Apache HTTP Server vulnerabilities2017-05-09
Apple
CVE-2016-0736: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite2017-03-27
Red Hat
httpd: Padding Oracle in Apache mod_session_crypto2016-12-20

💬Community

2
Bugzilla
CVE-2016-0736 CVE-2016-2161 CVE-2016-8743 httpd: various flaws [fedora-all]2016-12-21
Bugzilla
CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto2016-12-21
CVE-2016-0736 (HIGH CVSS 7.5) | In Apache HTTP Server versions 2.4. | cvebase.io