CGI Generic Padding Oracle

medium Nessus Plugin ID 50413


A web application hosted on the remote server is potentially prone to a padding oracle attack


By manipulating the padding on an encrypted string, Nessus was able to generate an error message that indicates a likely 'padding oracle' vulnerability. Such a vulnerability can affect any application or framework that uses encryption improperly, such as some versions of, Java Server Faces, and Mono.

An attacker may exploit this issue to decrypt data and recover encryption keys, potentially viewing and modifying confidential data.

Note that this plugin should detect the MS10-070 padding oracle vulnerability in if CustomErrors are enabled in that.


Update the affected server software, or modify the CGI scripts so that they properly validate encrypted data before attempting decryption.

See Also

Plugin Details

Severity: Medium

ID: 50413

File Name: padding_oracle.nasl

Version: 1.18

Type: remote

Family: CGI abuses

Published: 10/29/2010

Updated: 4/11/2022

Configuration: Enable thorough checks

Risk Information


Risk Factor: Medium

Score: 5.2


Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: E:POC/RL:OF/RC:C

Vulnerability Information

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 9/28/2010

Vulnerability Publication Date: 9/17/2010

Reference Information

CVE: CVE-2010-3332

BID: 43316, 44285