Homepage
About Snyk

Insecure Encryption Affecting encryptor package, versions <3.0.0, >=2.0.0

0.0
high

Snyk CVSS

    Attack Complexity Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ENCRYPTOR-20434
  • published 9 Oct 2017
  • disclosed 19 Mar 2016
  • credit Matouš Borák
Report a new vulnerability Found a mistake?

Introduced: 19 Mar 2016

CVE NOT AVAILABLE CWE-327 Open this link in a new tab

How to fix?

Upgrade encryptor to version 3.0.0 or higher.

Overview

encryptor is a simple wrapper for the standard ruby OpenSSL library to encrypt and decrypt strings.

Affected versions of the package are vulnerable to Insecure Encryption due to encrypting all messages using the same key/nonce. This exposed the XOR of the plaintexts and also leaked the AES-GCM authentication key, allowing an attacker to forge messages and potentially perform chosen ciphertext attacks.