Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRjNHctM3E0NS1ocDlq
Aescrypt does not sufficiently use random values
The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to defeat cryptographic protection mechanisms via a chosen plaintext attack.
Permalink: https://github.com/advisories/GHSA-4c4w-3q45-hp9jJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRjNHctM3E0NS1ocDlq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 7 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00151
EPSS Percentile: 0.5169
Identifiers: GHSA-4c4w-3q45-hp9j, CVE-2013-7463
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-7463
- https://github.com/Gurpartap/aescrypt/issues/4
- https://web.archive.org/web/20200227173428/http://www.securityfocus.com/bid/98035
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/aescrypt/CVE-2013-7463.yml
- https://github.com/advisories/GHSA-4c4w-3q45-hp9j
Blast Radius: 15.0
Affected Packages
rubygems:aescrypt
Dependent packages: 5Dependent repositories: 100
Downloads: 1,235,364 total
Affected Version Ranges: <= 1.0.0
No known fixed version
All affected versions: 1.0.0