Skip to content

AES Crypt for Linux Password Security Vulnerability

Critical
paulej published GHSA-r7fv-72pg-fwrq Aug 3, 2022

Package

AES Crypt for Linux (AES Crypt)

Affected versions

3.0.11

Patched versions

3.16

Description

Impact

AES Crypt for Linux built using the source on GitHub and having the version number 3.0.11 has a vulnerability with respect to reading user-provided passwords and confirmations via command-line prompts. This does not affect source code found on aescrypt.com, nor is the vulnerability present when providing a password or a key via the -p or -k command-line options.

Patches

The problem was fixed via in 6876185.

Workarounds

Rather than enter passwords when prompted, use the -p or -k options to provide a password or key.

References

No other reference exists.

For more information

Questions or comments may be directed to the author at paulej@packetizer.com.

Severity

Critical

CVE ID

CVE-2022-35928

Weaknesses