SNYK-RUST-PUBNUB-6098378
## Overview Affected versions of this package are vulnerable to Insufficient Entropy via the `getKey` function, due to inefficient implementation of the `AES-256-CBC` cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. **Note:** In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption. ## Remediation Upgrade `pubnub` to version 0.4.0 or higher. ## References - [GitHub Commit](https://github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119) - [GitHub Gist](https://gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0) - [Vulnerable Code](https://github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js#L70)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Aug 13, 2023 CVE Updated
- Dec 5, 2023 CVE Published
References
- https://security.snyk.io/vuln/SNYK-RUST-PUBNUB-6098378 advisory
- https://learn.snyk.io/lesson/insecure-randomness/ technical
- https://github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119 patch
- https://gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0 technical
- https://github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js#L70 technical