Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0zNW01LThjdmotODc4M80W7g

Improper hashing in enrocrypt

Impact

The vulnerability is we used MD5 hashing Algorithm In our hashing file. If anyone who is a beginner(and doesn't know about hashes) can face problems as MD5 is considered a Insecure Hashing Algorithm.

Patches

The vulnerability is patched in v1.1.4 of the product, the users can upgrade to version 1.1.4.

Workarounds

If u specifically want a version and don't want to upgrade, you can remove the MD5 hashing function from the file hashing.py and this vulnerability will be gone

References

https://www.cybersecurity-help.cz/vdb/cwe/916/
https://www.cybersecurity-help.cz/vdb/cwe/327/
https://www.cybersecurity-help.cz/vdb/cwe/328/
https://www.section.io/engineering-education/what-is-md5/
https://www.johndcook.com/blog/2019/01/24/reversing-an-md5-hash/

For more information

If you have any questions or comments about this advisory:

• Open an issue in Enrocrypt's Official Repo
• Create a Discussion in Enrocrypt's Official Repo

Permalink: https://github.com/advisories/GHSA-35m5-8cvj-8783
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNW01LThjdmotODc4M80W7g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: 3 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.00253
EPSS Percentile: 0.64293

Identifiers: GHSA-35m5-8cvj-8783, CVE-2021-39182
References:

• https://github.com/Morgan-Phoenix/EnroCrypt/security/advisories/GHSA-35m5-8cvj-8783
• https://nvd.nist.gov/vuln/detail/CVE-2021-39182
• https://github.com/Morgan-Phoenix/EnroCrypt/commit/e652d56ac60eadfc26489ab83927af13a9b9d8ce
• https://github.com/pypa/advisory-database/tree/main/vulns/enrocrypt/PYSEC-2021-385.yaml
• https://github.com/advisories/GHSA-35m5-8cvj-8783

Repository: https://github.com/Morgan-Phoenix/EnroCrypt
Blast Radius: 2.3

Affected Packages