Insecure Encryption Affecting encryptor package, versions <3.0.0, >=2.0.0
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-ENCRYPTOR-20434
- published 9 Oct 2017
- disclosed 19 Mar 2016
- credit Matouš Borák
How to fix?
Upgrade encryptor
to version 3.0.0 or higher.
Overview
encryptor
is a simple wrapper for the standard ruby OpenSSL library to encrypt and decrypt strings.
Affected versions of the package are vulnerable to Insecure Encryption due to encrypting all messages using the same key/nonce
. This exposed the XOR
of the plaintexts and also leaked the AES-GCM
authentication key, allowing an attacker to forge messages and potentially perform chosen ciphertext attacks.