CVE-2024-28864

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-28864
SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with `NullEncoder` and passed to `TagAwareCipher`, and contains special characters such as `\n`. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format. The vulnerability affects users who implement `TagAwareCipher` with any base cipher that has `NullEncoder` (not default). The patch for the issue has been released. Users are advised to update to version 1.2.2. As a workaround, one may use the default `Base64Encoder` with the base cipher decorated with `TagAwareCipher` to prevent special characters in the encrypted string from interfering with regex tag detection logic. This workaround is safe but may involve double encoding since `TagAwareCipher` uses `NullEncoder` by default.

2.6 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/IlicMiljan/Secure-Props/commit/ab7b561040cd37fda3dbf9a6cab01fefcaa16627
https://github.com/IlicMiljan/Secure-Props/issues/20
https://github.com/IlicMiljan/Secure-Props/pull/21
https://github.com/IlicMiljan/Secure-Props/security/advisories/GHSA-rj29-j2g4-77q8
Configurations

No configuration.

History

19 Mar 2024, 13:26

Type Values Removed Values Added
Summary
  • (es) SecureProps es una librería PHP diseñada para simplificar el cifrado y descifrado de datos de propiedades en objetos. Una vulnerabilidad en SecureProps versión 1.2.0 y 1.2.1 implica que una expresión regular no detecta etiquetas durante el descifrado de datos cifrados. Esto ocurre cuando los datos cifrados se codificaron con `NullEncoder` y se pasaron a `TagAwareCipher` y contienen caracteres especiales como `\n`. Como resultado, se omite el proceso de descifrado ya que no se detectan las etiquetas. Esto hace que los datos cifrados se devuelvan en formato plano. La vulnerabilidad afecta a los usuarios que implementan `TagAwareCipher` con cualquier cifrado base que tenga `NullEncoder` (no predeterminado). Se ha publicado el parche para el problema. Se recomienda a los usuarios que actualicen a la versión 1.2.2. Como workaround, se puede utilizar el `Base64Encoder` predeterminado con el cifrado base decorado con `TagAwareCipher` para evitar que los caracteres especiales en la cadena cifrada interfieran con la lógica de detección de etiquetas regex. Este workaround es seguro pero puede implicar doble codificación ya que `TagAwareCipher` usa `NullEncoder` de forma predeterminada.

18 Mar 2024, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-18 22:15

Updated : 2024-03-19 13:26

NVD link : CVE-2024-28864

Mitre link : CVE-2024-28864

CVE.ORG link : CVE-2024-28864

JSON object : View

Products Affected

No product.

CWE
CWE-1333

Inefficient Regular Expression Complexity


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024