CVE-2024-21530

Versions of the package cocoon before 0.4.0 are vulnerable to Reusing a Nonce, Key Pair in Encryption when the encrypt, wrap, and dump functions are sequentially called. An attacker can generate the same ciphertext by creating a new encrypted message with the same cocoon object. **Note:** The issue does NOT affect objects created with Cocoon::new which utilizes ThreadRng.

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.4 / Impact : 2.7

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/advisories/GHSA-6878-6wc2-pf5h
https://github.com/fadeevab/cocoon/commit/1b6392173ce35db4736a94b62b2d2973f9a71441
https://github.com/fadeevab/cocoon/issues/22
https://rustsec.org/advisories/RUSTSEC-2023-0068.html
https://security.snyk.io/vuln/SNYK-RUST-COCOON-6028364

Configurations

No configuration.

History

04 Oct 2024, 13:50

Type	Values Removed	Values Added
Summary		(es) Las versiones del paquete cocoon anteriores a la 0.4.0 son vulnerables a la reutilización de un par de claves nonce en el cifrado cuando se invocan secuencialmente las funciones de cifrado, envoltura y volcado. Un atacante puede generar el mismo texto cifrado creando un nuevo mensaje cifrado con el mismo objeto cocoon. Nota: El problema NO afecta a los objetos creados con Cocoon::new, que utiliza ThreadRng.

02 Oct 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-02 05:15

Updated : 2024-10-04 13:50

NVD link : CVE-2024-21530

Mitre link : CVE-2024-21530

CVE.ORG link : CVE-2024-21530

JSON object : View

Products Affected

No product.

CWE

CWE-323

Reusing a Nonce, Key Pair in Encryption

4.5 /10