CVE-2024-28864: [TagAwareCipher] - Decryption Failure (Regex Match)
Vulnerability in SecureProps involves a regex failing to detect tags during decryption of encrypted data.
This occurs when the encrypted data has been encoded with NullEncoder and passed to TagAwareCipher, and contains special characters such as \n. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format.
The vulnerability affects users who implement TagAwareCipher with any base cipher that has NullEncoder (not default).
References
- github.com/IlicMiljan/Secure-Props
- github.com/IlicMiljan/Secure-Props/commit/ab7b561040cd37fda3dbf9a6cab01fefcaa16627
- github.com/IlicMiljan/Secure-Props/issues/20
- github.com/IlicMiljan/Secure-Props/pull/21
- github.com/IlicMiljan/Secure-Props/security/advisories/GHSA-rj29-j2g4-77q8
- github.com/advisories/GHSA-rj29-j2g4-77q8
- nvd.nist.gov/vuln/detail/CVE-2024-28864
Detect and mitigate CVE-2024-28864 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →