-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathID-305-encryptor.yml
46 lines (46 loc) · 2.06 KB
/
ID-305-encryptor.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
---
gem: encryptor
cve: ??
ghsa: ??
url: https://github.com/attr-encrypted/encryptor#upgrading-from-v200-to-v300
title: AES-GCM nonce reuse vulnerability
date: 2016-03-26
description: |
This gem was encrypting all messages using the same key/nonce. This
not only exposes the XOR of the plaintexts if you XOR together two
ciphertexts, but it also leaks the AES-GCM authentication key, allowing
an attacker to forge messages and potentially perform chosen ciphertext
attacks, which could potentially enable full plaintext recovery
(especially if they've e.g. compromised the database, which is the
threat model attr_encrypted is designed to defend against).
cvss_v2: ??
cvss_v3: ??
patched_versions:
- ">= 3.0.0"
related:
url:
- https://github.com/attr-encrypted/encryptor#upgrading-from-v200-to-v300
- https://github.com/attr-encrypted/encryptor/blob/master/CHANGELOG.md
- https://github.com/attr-encrypted/encryptor/issues/30
- https://github.com/attr-encrypted/encryptor/pull/22
- https://github.com/attr-encrypted/encryptor/pull/22/commits/91f7228b6add7156f5bb38f9495be5141fe557a8
- https://security.snyk.io/vuln/SNYK-RUBY-ENCRYPTOR-20434
- https://github.com/rubysec/ruby-advisory-db/issues/305
# ####################################################################
notes: |
- Using CWE-323.
- keywords: CWE AES-GSM nonce reuse vulnerability encrypting authentication
- (CWE-323) (yes)
- ttps://www.ubiqsecurity.com/exploring-cwe-323-reusing-a-nonce-key-pair-in-encryption/
- (CWE-327) (general)
- No CVE/GSHA/OSVDB ID.
- No cvss_v2 or cvss_v3. SNYK has general CVSS values.
- Owner: @saghaulor (Last commit was 3/26/2016)
- Release 3.0.0 (3/26/2018) is last release of gem as of 6/12/2023.
- Proof of fix: See above commit URL.
- ------------------------------------------------------------
- Security policy?: https://github.com/attr-encrypted/encryptor/security (empty) ??
- Date: email to owner: TBD ??
- ISS#30 ("CVE for encryptor 2.0.0") is still open.
- Proof of expicit: ??
- Date: review of draft: ??