Skip to content

pubnub Insufficient Entropy vulnerability

Moderate severity GitHub Reviewed Published Dec 6, 2023 to the GitHub Advisory Database • Updated May 20, 2024

Package

nuget Pubnub (NuGet)

Affected versions

< 6.19.0

Patched versions

6.19.0
maven com.pubnub:pubnub (Maven)
<= 4.6.5
None
maven com.pubnub:pubnub-kotlin (Maven)
< 7.7.0
7.7.0
gomod github.com/pubnub/go (Go)
<= 4.10.0
None
gomod github.com/pubnub/go/v5 (Go)
<= 5.0.3
None
gomod github.com/pubnub/go/v6 (Go)
<= 6.1.0
None
gomod github.com/pubnub/go/v7 (Go)
< 7.2.0
7.2.0
swift github.com/pubnub/swift (Swift)
< 6.2.0
6.2.0
npm pubnub (npm)
< 7.4.0
7.4.0
bundler pubnub (RubyGems)
< 5.3.0
5.3.0
cargo pubnub (Rust)
< 0.4.0
0.4.0
pub pubnub (Pub)
< 4.3.0
4.3.0
pip pubnub (pip)
< 7.3.0
7.3.0
composer pubnub/pubnub (Composer)
< 6.1.0
6.1.0

Description

Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.

Note:

In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.

References

Published by the National Vulnerability Database Dec 6, 2023
Published to the GitHub Advisory Database Dec 6, 2023
Reviewed Dec 6, 2023
Last updated May 20, 2024

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

0.130%
(49th percentile)

Weaknesses

CVE ID

CVE-2023-26154

GHSA ID

GHSA-5844-q3fc-56rh

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.