CVE-2023-26154

Exploit

EPSS 0.38%
Veröffentlicht 06.12.2023 05:15:10
Zuletzt bearbeitet 21.11.2024 07:50:53
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.

**Note:**

In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 20

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pubnub ≫ C-core Version < 4.5.0

Pubnub ≫ Kotlin Version < 7.7.0

Pubnub ≫ Pubnub SwPlatform- Version < 0.4.0

Pubnub ≫ Pubnub SwPlatformgo Version < 7.2.0

Pubnub ≫ Pubnub SwPlatform- Version >= 3.6.4 < 4.3.0

Pubnub ≫ Pubnub SwPlatform- Version >= 4.3.1 < 5.2.0

Pubnub ≫ Pubnub SwPlatform- Version >= 6.0.0 < 6.1.0

Pubnub ≫ Pubnub SwPlatform- Version >= 6.2.0 < 6.19.0

Pubnub ≫ Pubnub SwPlatform- Version >= 7.0.0 < 7.3.0

Pubnub ≫ Pubnub SwPlatform- Version >= 7.3.1 < 7.4.0

Pubnub ≫ Swift Version < 6.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.59

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
report@snyk.io	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-331 Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

https://gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0

Exploit

Issue Tracking

https://github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js%23L70

Broken Link

https://github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119

Patch

https://security.snyk.io/vuln/SNYK-COCOAPODS-PUBNUB-6098384

Third Party Advisory

https://security.snyk.io/vuln/SNYK-DOTNET-PUBNUB-6098372

Third Party Advisory

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGO-6098373