SNYK-RUBY-PUBNUB-6098377

SNYK-RUBY-PUBNUB-6098377 PUBLISHED CVSS 5.900000095367432 MEDIUM

## Overview Affected versions of this package are vulnerable to Insufficient Entropy via the `getKey` function, due to inefficient implementation of the `AES-256-CBC` cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. **Note:** In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption. ## Remediation Upgrade `pubnub` to version 5.3.0 or higher. ## References - [GitHub Commit](https://github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119) - [GitHub Gist](https://gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0) - [Vulnerable Code](https://github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js#L70)

Risk Scores

CVSS v3.1

5.900000095367432

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
		0

Timeline

Aug 13, 2023 CVE Updated
Dec 5, 2023 CVE Published

References

Open in Interactive Console →