GitHub Advisory DatabaseGHSA-35M5-8CVJ-8783Improper hashing in enrocrypt
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
48.0%
Impact
The vulnerability is we used MD5 hashing Algorithm In our hashing file. If anyone who is a beginner(and doesn’t know about hashes) can face problems as MD5 is considered a Insecure Hashing Algorithm.
Patches
The vulnerability is patched in v1.1.4 of the product, the users can upgrade to version 1.1.4.
Workarounds
If u specifically want a version and don’t want to upgrade, you can remove the MD5 hashing function from the file hashing.py and this vulnerability will be gone
References
https://www.cybersecurity-help.cz/vdb/cwe/916/
https://www.cybersecurity-help.cz/vdb/cwe/327/
https://www.cybersecurity-help.cz/vdb/cwe/328/
https://www.section.io/engineering-education/what-is-md5/
https://www.johndcook.com/blog/2019/01/24/reversing-an-md5-hash/
For more information
If you have any questions or comments about this advisory:
- Open an issue in Enrocrypt’s Official Repo
- Create a Discussion in Enrocrypt’s Official Repo
Affected configurations
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
48.0%