5.9

CVE-2023-26154

Exploit
Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.

**Note:**

In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PubnubC-core Version < 4.5.0
PubnubKotlin Version < 7.7.0
PubnubPubnub SwPlatform- Version < 0.4.0
PubnubPubnub SwPlatformgo Version < 7.2.0
PubnubPubnub SwPlatform- Version >= 3.6.4 < 4.3.0
PubnubPubnub SwPlatform- Version >= 4.3.1 < 5.2.0
PubnubPubnub SwPlatform- Version >= 6.0.0 < 6.1.0
PubnubPubnub SwPlatform- Version >= 6.2.0 < 6.19.0
PubnubPubnub SwPlatform- Version >= 7.0.0 < 7.3.0
PubnubPubnub SwPlatform- Version >= 7.3.1 < 7.4.0
PubnubSwift Version < 6.2.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.96% 0.567
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
report@snyk.io 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-331 Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

https://gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0
Exploit
Issue Tracking
https://github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js%23L70
Broken Link
https://github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119
Patch
https://security.snyk.io/vuln/SNYK-COCOAPODS-PUBNUB-6098384
Third Party Advisory
https://security.snyk.io/vuln/SNYK-DOTNET-PUBNUB-6098372
Third Party Advisory
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGO-6098373
Third Party Advisory
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGOV7-6098374
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-COMPUBNUB-6098371
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-COMPUBNUB-6098380
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-PUBNUB-5840690
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PHP-PUBNUBPUBNUB-6098376
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PUB-PUBNUB-6098385
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-PUBNUB-6098375
Third Party Advisory
https://security.snyk.io/vuln/SNYK-RUBY-PUBNUB-6098377
Third Party Advisory
https://security.snyk.io/vuln/SNYK-RUST-PUBNUB-6098378
Third Party Advisory
https://security.snyk.io/vuln/SNYK-SWIFT-PUBNUBSWIFT-6098381
Third Party Advisory
https://security.snyk.io/vuln/SNYK-UNMANAGED-PUBNUBCCORE-6098379
Third Party Advisory