Lucene search

GoogleOSV:GO-2023-2385

HistoryJan 02, 2024 - 6:32 p.m.

Insufficient entropy in AES-256-CBC in github.com/pubnub/go

2024-01-0218:32:37

Google

osv.dev

aes-256-cbc

insufficient entropy

github.com/pubnub/go

migrate

v7.2.0

crypto package

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.0%

JSON

There is insufficient entropy in the implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt functions are less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.

Users are encouraged to migrate to the new crypto package introduced in v7.2.0.

CPENameOperatorVersion
github.com/pubnub/go/v7ge7.2.0

CPE	Name	Operator	Version
	github.com/pubnub/go/v7	ge	7.2.0

References

github.com/advisories/GHSA-5844-q3fc-56rh

github.com/pubnub/go/commit/428517fef5b901db7275d9f5a75eda89a4c28e08

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.0%

JSON

Related for OSV:GO-2023-2385