Описание
Insecure Cryptography Algorithm in simple-crypto-js
Versions of simple-crypto-js prior to 2.3.0 use AES-CBC with PKCS#7 padding, which is vulnerable to padding oracle attacks. This may allow attackers to break the encryption and access sensitive data.
Recommendation
Upgrade to version 2.3.0 or later.
Ссылки
- https://github.com/danang-id/simple-crypto-js/issues/12
- https://github.com/danang-id/simple-crypto-js/pull/17
- https://github.com/danang-id/simple-crypto-js/commit/416584369de1dad9b21ac3fe85df0b71cf5718b2
- https://robertheaton.com/2013/07/29/padding-oracle-attack
- https://snyk.io/vuln/SNYK-JS-SIMPLECRYPTOJS-544027
Пакеты
Наименование
simple-crypto-js
npm
Затронутые версииВерсия исправления
< 2.3.0
2.3.0
5.9 Medium
CVSS3
Дефекты
CWE-327
5.9 Medium
CVSS3
Дефекты
CWE-327