Today > 1 Critical | 5 High | 22 Medium vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-21530

Oct. 4, 2024, 1:50 p.m.

CVSS Score

4.5 / 10

Product(s) Impacted

cocoon

  • before 0.4.0

Description

Versions of the package cocoon before 0.4.0 are vulnerable to Reusing a Nonce, Key Pair in Encryption when the encrypt, wrap, and dump functions are sequentially called. An attacker can generate the same ciphertext by creating a new encrypted message with the same cocoon object. **Note:** The issue does NOT affect objects created with Cocoon::new which utilizes ThreadRng.

Weaknesses

CWE-323
Reusing a Nonce, Key Pair in Encryption

Nonces should be used for the present occasion and only once.

CWE ID: 323

Date

Published: Oct. 2, 2024, 5:15 a.m.

Last Modified: Oct. 4, 2024, 1:50 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

report@snyk.io

CVSS Data

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score
4.5
Exploitability Score
1.4
Impact Score
2.7
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References