CVE-2013-7463 – aescrypt

Package

Manager: gem
Name: aescrypt
Vulnerable Version: >=0 <=1.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.003 pctl0.52805

Details

Aescrypt does not sufficiently use random values The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to defeat cryptographic protection mechanisms via a chosen plaintext attack.

Metadata

Created: 2017-10-24T18:33:36Z
Modified: 2023-01-25T22:56:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-4c4w-3q45-hp9j/GHSA-4c4w-3q45-hp9j.json
CWE IDs: ["CWE-330"]
Alternative ID: GHSA-4c4w-3q45-hp9j
Finding: F034
Auto approve: 1