Products
cocoon
- before 0.4.0
Source
report@snyk.io
Tags
CVE-2024-21530 details
Published : Oct. 2, 2024, 5:15 a.m.
Last Modified : Oct. 2, 2024, 5:15 a.m.
Last Modified : Oct. 2, 2024, 5:15 a.m.
Description
Versions of the package cocoon before 0.4.0 are vulnerable to Reusing a Nonce, Key Pair in Encryption when the encrypt, wrap, and dump functions are sequentially called. An attacker can generate the same ciphertext by creating a new encrypted message with the same cocoon object. **Note:** The issue does NOT affect objects created with Cocoon::new which utilizes ThreadRng.
CVSS Score
| 1 | 2 | 3 | 4.5 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | Nonces should be used for the present occasion and only once. |
CVSS Data
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
Base Score
4.5
Exploitability Score
1.4
Impact Score
2.7
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
References
| URL | Source |
|---|---|
| https://github.com/advisories/GHSA-6878-6wc2-pf5h | report@snyk.io |
| https://github.com/fadeevab/cocoon/commit/1b6392173ce35db4736a94b62b2d2973f9a71441 | report@snyk.io |
| https://github.com/fadeevab/cocoon/issues/22 | report@snyk.io |
| https://rustsec.org/advisories/RUSTSEC-2023-0068.html | report@snyk.io |
| https://security.snyk.io/vuln/SNYK-RUST-COCOON-6028364 | report@snyk.io |
This website uses the NVD API, but is not approved or certified by it.