Veracode Vulnerability DatabaseVERACODE:44603Insufficient Entropy
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
44.0%
pubnub is vulnerable to Insufficient Entropy. The vulnerability is caused by the getKey function in web.js which uses an inefficient key derivation method for AES-256-CBC encryption, resulting in a reduced key space due to hex encoding and trimming. This leaves half of the bits in the encryption key fixed for all messages, This allows attackers to brute-force the encryption by exploiting the limited entropy in the key generation process.
| CPE | Name | Operator | Version |
|---|---|---|---|
| pubnub | le | 7.3.3 | |
| pubnub | le | 6.18.0 | |
| pubnub java sdk | le | 4.6.5 | |
| pubnub | le | 7.2.0 | |
| pubnub | le | 5.2.2 | |
| pubnub/pubnub | le | 6.0.1 | |
| pubnub kotlin sdk | le | 7.6.0 | |
| github.com/pubnub/go | le | v7.1.2 | |
| pubnub | le | 7.3.3 | |
| pubnub | le | 6.18.0 |
References
gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0
github.com/advisories/GHSA-5844-q3fc-56rh
github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js#L70
github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js%23L70
github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
44.0%