CVE-2023-26154

Name of the Vulnerable Software and Affected Versions pubnub versions prior to 7.4.0 com.pubnub:pubnub all versions github.com/pubnub/go all versions github.com/pubnub/go/v7 versions prior to 7.2.0 pubnub/pubnub versions prior to 6.1.0 pubnub/c-core versions prior to 4.5.0 com.pubnub:pubnub-kotlin versions prior to 7.7.0 pubnub/swift versions prior to 6.2.0

Description The issue is related to insufficient entropy in the implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. This is due to the inefficient implementation of the getKey function. To exploit this vulnerability, an attacker needs to invest resources in preparing the attack and brute-force the encryption.

Recommendations To resolve the issue, users are encouraged to migrate to the new crypto package introduced in v7.2.0. For versions prior to 7.4.0, consider updating to version 7.4.0 or later. For com.pubnub:pubnub, github.com/pubnub/go, and other affected packages without a specified fixed version, update to the latest version available. As a temporary workaround, consider restricting the use of the vulnerable getKey function until a patch is available.