Aescrypt does not sufficiently use random values · CVE-2013-7463 · GitHub Advisory Database · GitHub

Aescrypt does not sufficiently use random values

High severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Jul 31, 2023

Package

aescrypt (RubyGems)

Affected versions

<= 1.0.0

Patched versions

None

Description

The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to defeat cryptographic protection mechanisms via a chosen plaintext attack.

References

Published to the GitHub Advisory Database Oct 24, 2017

Reviewed Jun 16, 2020

Last updated Jul 31, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N