PT-2017-11767 · Heinekingmedia · Stashcat
Karsten König
·
Published
2017-08-01
·
Updated
2017-08-07
·
CVE-2017-11133
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
heinekingmedia StashCat versions 1.7.5 and earlier for Android
heinekingmedia StashCat versions 0.0.80w and earlier for Web
heinekingmedia StashCat versions 0.0.86 and earlier for Desktop
Description
An issue was discovered in the encryption process of heinekingmedia StashCat. The software uses AES in CBC mode to encrypt messages with a pseudo-random secret. However, the secret and the IV are generated using methods that are not cryptographically strong, specifically math.random() in previous versions and CryptoJS.lib.WordArray.random() in newer versions, which internally uses math.random().
Recommendations
For heinekingmedia StashCat versions 1.7.5 and earlier for Android, consider updating to a version that uses a cryptographically strong method for generating secrets and IVs.
For heinekingmedia StashCat versions 0.0.80w and earlier for Web, consider updating to a version that uses a cryptographically strong method for generating secrets and IVs.
For heinekingmedia StashCat versions 0.0.86 and earlier for Desktop, consider updating to a version that uses a cryptographically strong method for generating secrets and IVs.
Fix
Use of a Broken Cryptographic Algorithm
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Stashcat