PT-2017-5765 · Ruby · Aescrypt

Jfinkhaeuser

Publicado

2017-04-19

Atualizado

2017-10-24

CVE-2013-7463

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: aescrypt gem version 1.0.0

Description: The issue concerns the aescrypt gem for Ruby, which fails to randomize the CBC IV when using the AESCrypt.encrypt and AESCrypt.decrypt functions. This flaw enables attackers to bypass cryptographic protection through a chosen plaintext attack.

Recommendations: For aescrypt gem version 1.0.0, consider updating to a version that properly randomizes the CBC IV for the AESCrypt.encrypt and AESCrypt.decrypt functions to prevent chosen plaintext attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use of Insufficiently Random Values

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-330

Identificadores relacionados

CVE-2013-7463

GHSA-4C4W-3Q45-HP9J

Produtos afetados

Aescrypt

PT-2017-5765 · Ruby · Aescrypt

CVE-2013-7463

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7