PT-2017-5765 · Ruby · Aescrypt

Jfinkhaeuser

Published

2017-04-19

Updated

2017-10-24

CVE-2013-7463

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: aescrypt gem version 1.0.0

Description: The issue concerns the aescrypt gem for Ruby, which fails to randomize the CBC IV when using the AESCrypt.encrypt and AESCrypt.decrypt functions. This flaw enables attackers to bypass cryptographic protection through a chosen plaintext attack.

Recommendations: For aescrypt gem version 1.0.0, consider updating to a version that properly randomizes the CBC IV for the AESCrypt.encrypt and AESCrypt.decrypt functions to prevent chosen plaintext attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330

Related Identifiers

CVE-2013-7463

GHSA-4C4W-3Q45-HP9J

Affected Products

Aescrypt

PT-2017-5765 · Ruby · Aescrypt

CVE-2013-7463

Weakness Enumeration

Related Identifiers

Affected Products

References · 7