Skip to main content

Insufficient Entropy

CVE-2023-26154

Severity Medium
Score 5.9/10

Summary

The package pubnub is vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the "AES-256-CBC" cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. **Note:** In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption. This vulnerability affects Npm-pubnub package versions prior to 7.4.0, Go-github.com/pubnub/go package versions prior to 7.2.0, NuGet-pubnub package versions prior to 6.19.0, Php-pubnub/pubnub package versions prior to 6.1.0, Python-pubnub package versions prior to 7.3.0, Ruby-pubnub package versions prior to 5.3.0, iOS-PubNubSwift:PubNubSwift package versions prior to 6.2.0, all versions of Maven-com.pubnub:pubnub, Maven-com.pubnub:pubnub-kotlin package versions prior to 7.7.0, and Maven-com.pubnub:pubnub-gson package versions prior to 6.4.0

  • HIGH
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-331 - Insufficient Entropy

The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Advisory Timeline

  • Published