Lucene search

GitHub Advisory DatabaseGHSA-VFCG-5GGC-3RXX

HistoryMay 17, 2022 - 5:25 a.m.

Elixir can leak information due to weak use of crypto

2022-05-1705:25:05

CWE-327

GitHub Advisory Database

github.com

elixir

crypto vulnerability

blowfish

cfb mode

initialization vector

database encryption

patch

software

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

AI Score

6.1

Confidence

Low

EPSS

0.002

Percentile

60.8%

JSON

Elixir prior to and including 0.7.1 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database. A patch has been attached to the initial advisory to mitigate this vulnerability.

Affected configurations

Vulners

Node

mind-elixir_projectmind-elixirRange≤0.7.1node.js

VendorProductVersionCPE
mind-elixir_projectmind-elixir*cpe:2.3:a:mind-elixir_project:mind-elixir:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
mind-elixir_project	mind-elixir	*	cpe:2.3:a:mind-elixir_project:mind-elixir::::::node.js::*

References

elixir.ematia.de/trac/ticket/119

groups.google.com/group/sqlelixir/browse_thread/thread/efc16227514cffa?pli=1

www.openwall.com/lists/oss-security/2012/04/27/8

www.openwall.com/lists/oss-security/2012/04/28/2

www.openwall.com/lists/oss-security/2012/04/29/1

bugzilla.redhat.com/show_bug.cgi?id=810013

github.com/advisories/GHSA-vfcg-5ggc-3rxx

github.com/pypa/advisory-database/tree/main/vulns/elixir/PYSEC-2012-13.yaml

nvd.nist.gov/vuln/detail/CVE-2012-2146

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

AI Score

6.1

Confidence

Low

EPSS

0.002

Percentile

60.8%

JSON

Related for GHSA-VFCG-5GGC-3RXX