Описание
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
A flaw was found in the npm pbkdf2 library, allowing signature spoofing. When executing in javascript engines other than Nodejs or Nodejs when importing pbkdf2/browser, certain algorithms will silently fail and return invalid data. The return values are predictable, which undermines the security guarantees of the package.
Отчет
This flaw is rated important because it causes the pbkdf2 module to quietly return weak or zero-filled keys when certain algorithm names are used incorrectly in browsers or bundled code, this causes the function to silently return a predictable value (such as a zero-filled buffer or uninitialized memory) instead of a securely derived key, completely undermining the confidentiality and integrity of any cryptographic operation where attackers could guess or reuse these keys to access or change protected data.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-console-plugin-rhel8 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-api-rhel8 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-api-rhel9 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-db-migration-rhel8 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-db-migration-rhel9 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-ui-rhel8 | Affected | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-ui-rhel9 | Affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8 | Will not fix | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/kiali-operator-bundle | Will not fix |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2.
Improper Input Validation vulnerability in pbkdf2 allows Signature Spo ...
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
Уязвимость библиотеки pbkdf2 программной платформы Node.js, связанная с недостатками механизма проверки входных данных, позволяющая нарушителю подделать цифровую подпись
EPSS
8.1 High
CVSS3