CVE-2016-0736

CVE Database · CVE-2016-0736

CVE-2016-0736

· N/AModified

CVSS v3.1

N/A

EPSS

49.02%

Published

Jul 27, 2017

Modified

May 12, 2026

Public PoC / Exploit (2)

All weaponized →

Exploit-DBApache mod_session_crypto - Padding Oracle TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.

Weaknesses (CWE)

CWE-310

Affected Products (17)

apache · http_servervulnerable

References (20)

http://rhn.redhat.com/errata/RHSA-2017-1415.html

http://www.debian.org/security/2017/dsa-3796

http://www.securityfocus.com/bid/95078

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1037508

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:0906

https://access.redhat.com/errata/RHSA-2017:1161

https://access.redhat.com/errata/RHSA-2017:1413

https://access.redhat.com/errata/RHSA-2017:1414

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03725en_us

KEV Catalog EPSS Scores Vendors All CVEs