GoogleOSV:GHSA-FXFF-WXXV-C2JCPyPinkSign uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
23.1%
PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.
References
bandoche.com
pypinksign.com
github.com/bandoche/PyPinkSign
github.com/bandoche/PyPinkSign/blob/main/pypinksign/pypinksign.py#L504
github.com/bandoche/PyPinkSign/blob/main/pypinksign/pypinksign.py#L537
github.com/bandoche/PyPinkSign/commit/e1809ddf6a266e9007e10f0486b462fa7f89a43d
github.com/bandoche/PyPinkSign/issues/29
github.com/pypa/advisory-database/tree/main/vulns/pypinksign/PYSEC-2023-245.yaml
gxx777.github.io/PyPinkSign_v0.5.1_Cryptographic_API_Misuse_Vulnerability.md
nvd.nist.gov/vuln/detail/CVE-2023-48056
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
23.1%