5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
44.0%
pubnub is vulnerable to Insufficient Entropy. The vulnerability is caused by the getKey
function in web.js
which uses an inefficient key derivation method for AES-256-CBC encryption, resulting in a reduced key space due to hex encoding and trimming. This leaves half of the bits in the encryption key fixed for all messages, This allows attackers to brute-force the encryption by exploiting the limited entropy in the key generation process.
CPE | Name | Operator | Version |
---|---|---|---|
pubnub | le | 7.3.3 | |
pubnub | le | 6.18.0 | |
pubnub java sdk | le | 4.6.5 | |
pubnub | le | 7.2.0 | |
pubnub | le | 5.2.2 | |
pubnub/pubnub | le | 6.0.1 | |
pubnub kotlin sdk | le | 7.6.0 | |
github.com/pubnub/go | le | v7.1.2 | |
pubnub | le | 7.3.3 | |
pubnub | le | 6.18.0 |
gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0
github.com/advisories/GHSA-5844-q3fc-56rh
github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js#L70
github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js%23L70
github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
44.0%