GHSA-4c4w-3q45-hp9j

Suggest an improvement
Source
https://github.com/advisories/GHSA-4c4w-3q45-hp9j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-4c4w-3q45-hp9j/GHSA-4c4w-3q45-hp9j.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4c4w-3q45-hp9j
Aliases
  • CVE-2013-7463
Published
2017-10-24T18:33:36Z
Modified
2023-11-01T04:45:23.416990Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Aescrypt does not sufficiently use random values
Details

The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to defeat cryptographic protection mechanisms via a chosen plaintext attack.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-330"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:58:06Z"
}
References

Affected packages

RubyGems / aescrypt

Package

Name
aescrypt
Purl
pkg:gem/aescrypt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.0.0

Affected versions

1.*

1.0.0