PyPinkSign uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption

GHSA-fxff-wxxv-c2jc · CVE-2023-48056 · PYSEC-2023-245

Published Nov 16, 2023 · Modified Oct 14, 2024

Description

PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-48056
WEB https://github.com/bandoche/PyPinkSign/issues/29
WEB https://github.com/bandoche/PyPinkSign/commit/e1809ddf6a266e9007e10f0486b462fa7f89a43d
PACKAGE https://github.com/bandoche/PyPinkSign
WEB https://github.com/bandoche/PyPinkSign/blob/main/pypinksign/pypinksign.py#L504
WEB https://github.com/bandoche/PyPinkSign/blob/main/pypinksign/pypinksign.py#L537
WEB https://github.com/pypa/advisory-database/tree/main/vulns/pypinksign/PYSEC-2023-245.yaml
WEB https://gxx777.github.io/PyPinkSign_v0.5.1_Cryptographic_API_Misuse_Vulnerability.md

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes