CVE-2017-5999

EPSS 0.32%
Veröffentlicht 06.03.2017 06:59:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in sysPass 2.x before 2.1, in which an algorithm was never sufficiently reviewed by cryptographers. The fact that inc/SP/Core/Crypt.class is using the MCRYPT_RIJNDAEL_256() function (the 256-bit block version of Rijndael, not AES) instead of MCRYPT_RIJNDAEL_128 (real AES) could help an attacker to create unknown havoc in the remote system.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Syspass ≫ Syspass Version2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.516

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

http://www.securityfocus.com/bid/96562

Third Party Advisory

VDB Entry

https://cxsecurity.com/issue/WLB-2017020196

Third Party Advisory

https://github.com/nuxsmin/sysPass/commit/a0e2c485e53b370a7cc6d833e192c3c5bfd70e1f

Patch

https://github.com/nuxsmin/sysPass/releases/tag/2.1.0.17022601

Patch

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2017-5999

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-5999

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-5999

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2017-5999