You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: documentation/README.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -122,8 +122,8 @@ This vulnerability exists in the custom authentication handshake, that is perfor
122
122
to obtain a special JWT that acts as authentication for MCP (Model Context Protocol) requests.
123
123
124
124
### Vulnerability
125
-
The service implements a challenge-response authentication computing first a session key from the shared secret (the created access token), client and server challenge
126
-
and later on using AES CFB8 encryption to generate client credentials from an all-zero IV and client credentials with the session key as key.
125
+
The service implements a challenge-response authentication computing first a session key from the shared secret (the created AI-agent access token), client and server challenge
126
+
and later on using AES CFB8 encryption to generate client credentials from an **all-zero** IV and client credentials with the session key as key.
127
127
Because the server challenge is randomly generated, the resulting session key is also effectively random and is then used to encrypt the IV and the client challenge.
128
128
In 1 out of 256 cases, the AES-encrypted ciphertext starts with a zero byte, which is XOR´ed with the first byte of the client challenge.
129
129
If the client challenge is set to all zero, the result will also be a zero byte. In the next encryption round, the AES input is shifted to
0 commit comments