Insufficient Entropy
CVE-2023-26154
Summary
The package pubnub is vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the "AES-256-CBC" cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. **Note:** In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption. This vulnerability affects Npm-pubnub package versions prior to 7.4.0, Go-github.com/pubnub/go package versions prior to 7.2.0, NuGet-pubnub package versions prior to 6.19.0, Php-pubnub/pubnub package versions prior to 6.1.0, Python-pubnub package versions prior to 7.3.0, Ruby-pubnub package versions prior to 5.3.0, iOS-PubNubSwift:PubNubSwift package versions prior to 6.2.0, all versions of Maven-com.pubnub:pubnub, Maven-com.pubnub:pubnub-kotlin package versions prior to 7.7.0, and Maven-com.pubnub:pubnub-gson package versions prior to 6.4.0
- HIGH
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-331 - Insufficient Entropy
The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Advisory Timeline
- Published