GHSA-r2r8-36pq-27cm

Suggest an improvement
Source
https://github.com/advisories/GHSA-r2r8-36pq-27cm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-r2r8-36pq-27cm/GHSA-r2r8-36pq-27cm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-r2r8-36pq-27cm
Published
2024-05-17T23:06:52Z
Modified
2024-12-02T05:36:19.854636Z
Summary
nzo/url-encryptor-bundle Insecure default secret key and IV allowing anyone to decrypt values
Details

Versions of nzo/url-encryptor-bundle prior to 5.0.1 and 4.3.2 are affected by a security vulnerability related to the lack of mandatory key and IV requirements. By default, the bundle uses the aes-256-ctr algorithm, which is susceptible to malleability attacks, potentially leading to Insecure Direct Object Reference (IDOR) vulnerabilities. Additionally, the reuse of keys enables users to decrypt and modify encrypted data if they can guess the plaintext of one ciphertext.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-17T23:06:52Z"
}
References

Affected packages

Packagist / nzo/url-encryptor-bundle

Package

Name
nzo/url-encryptor-bundle
Purl
pkg:composer/nzo/url-encryptor-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.1

Affected versions

v5.*

v5.0.0

Packagist / nzo/url-encryptor-bundle

Package

Name
nzo/url-encryptor-bundle
Purl
pkg:composer/nzo/url-encryptor-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.3.2

Affected versions

4.*

4.1.0
4.2.0
4.2.1

v4.*

v4.2.2
v4.2.3
v4.3.0
v4.3.1