Insecure Encryption

Affecting oic package, versions [,0.11.0.0)

medium severity

Overview

oic is Python implementation of OAuth2 and OpenID Connect.

Affected versions of the package are vulnerable to Insecure Encryption due to using a weak key derivation function and constant (initialization vector).

Remediation

Upgrade oic to version 0.11.0.0 or higher.

References

Do your applications use this vulnerable package?

Credit
Michael Schlenker
CWE
CWE-329
Snyk ID
SNYK-PYTHON-OIC-40768
Disclosed
08 May, 2017
Published
11 Jan, 2018