GHSA-9v35-4xcr-w9ph
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9v35-4xcr-w9ph
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-9v35-4xcr-w9ph/GHSA-9v35-4xcr-w9ph.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-9v35-4xcr-w9ph
- Aliases
-
- CVE-2024-41260
- GO-2024-3057
- Published
- 2024-08-01T18:32:50Z
- Modified
- 2025-06-25T19:30:53Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- NetBird uses a static initialization vector (IV)
- Details
-
A static initialization vector (IV) in the encrypt function of netbird management's service from v0.23.2 to v0.29.1 allows attackers to obtain sensitive information (email addresses) when in possession of the audit events database.
- Database specific
{ "nvd_published_at": "2024-08-01T16:15:06Z", "github_reviewed_at": "2024-08-07T14:16:58Z", "github_reviewed": true, "cwe_ids": [ "CWE-321" ], "severity": "HIGH" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-41260
- https://github.com/netbirdio/netbird/issues/2246
- https://github.com/netbirdio/netbird/pull/2569
- https://github.com/netbirdio/netbird/commit/cf6210a6f42355e88c422c624376f6fcdaea6729
- https://gist.github.com/nyxfqq/92232108ac153e95d538bb17fc5ad636
- https://github.com/advisories/GHSA-9v35-4xcr-w9ph
- https://github.com/netbirdio/netbird
Affected packages
Go / github.com/netbirdio/netbird
Package
- Name
- github.com/netbirdio/netbird
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/netbirdio/netbird