Lucene search

Veracode Vulnerability DatabaseVERACODE:44008

HistoryOct 26, 2023 - 8:32 a.m.

Weak Encryption

2023-10-2608:32:44

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

crypto-es

insecure hashing algorithm

sha1

data forgery

certificates

digital signatures

unauthorized access

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

37.4%

JSON

Crypto-es is vulnerable to Insecure Hashing Algorithm. The vulnerability is present because the library uses the cryptographically weak sha1 algorithm by default. This weakness allows an attacker to potentially forge data, certificates, or digital signatures, which could lead to unauthorized access if the hash is used for security.

CPENameOperatorVersion
crypto-esle2.0.4
crypto-esle2.0.4

CPE	Name	Operator	Version
	crypto-es	le	2.0.4
	crypto-es	le	2.0.4

References

github.com/advisories/GHSA-mpj8-q39x-wq5h

github.com/entronad/crypto-es/commit/d506677fae3d03a454b37ad126e0c119d416b757

github.com/entronad/crypto-es/security/advisories/GHSA-mpj8-q39x-wq5h

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

37.4%

JSON

Related for VERACODE:44008