Описание
Improper hashing in enrocrypt
Impact
The vulnerability is we used MD5 hashing Algorithm In our hashing file. If anyone who is a beginner(and doesn't know about hashes) can face problems as MD5 is considered a Insecure Hashing Algorithm.
Patches
The vulnerability is patched in v1.1.4 of the product, the users can upgrade to version 1.1.4.
Workarounds
If u specifically want a version and don't want to upgrade, you can remove the MD5 hashing function from the file hashing.py and this vulnerability will be gone
References
https://www.cybersecurity-help.cz/vdb/cwe/916/ https://www.cybersecurity-help.cz/vdb/cwe/327/ https://www.cybersecurity-help.cz/vdb/cwe/328/ https://www.section.io/engineering-education/what-is-md5/ https://www.johndcook.com/blog/2019/01/24/reversing-an-md5-hash/
For more information
If you have any questions or comments about this advisory:
- Open an issue in Enrocrypt's Official Repo
- Create a Discussion in Enrocrypt's Official Repo
Ссылки
- https://github.com/Morgan-Phoenix/EnroCrypt/security/advisories/GHSA-35m5-8cvj-8783
- https://nvd.nist.gov/vuln/detail/CVE-2021-39182
- https://github.com/Morgan-Phoenix/EnroCrypt/commit/e652d56ac60eadfc26489ab83927af13a9b9d8ce
- https://github.com/pypa/advisory-database/tree/main/vulns/enrocrypt/PYSEC-2021-385.yaml
Пакеты
enrocrypt
< 1.1.4
1.1.4
EPSS
8.7 High
CVSS4
7.5 High
CVSS3
CVE ID
Дефекты
Связанные уязвимости
EnroCrypt is a Python module for encryption and hashing. Prior to version 1.1.4, EnroCrypt used the MD5 hashing algorithm in the hashing file. Beginners who are unfamiliar with hashes can face problems as MD5 is considered an insecure hashing algorithm. The vulnerability is patched in v1.1.4 of the product. As a workaround, users can remove the `MD5` hashing function from the file `hashing.py`.
EPSS
8.7 High
CVSS4
7.5 High
CVSS3