CVE-2012-2146: Elixir can leak information due to weak use of crypto

May 17, 2022 (updated September 20, 2024)

Elixir prior to and including 0.7.1 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database. A patch has been attached to the initial advisory to mitigate this vulnerability.

References

bugzilla.redhat.com/show_bug.cgi?id=810013
github.com/advisories/GHSA-vfcg-5ggc-3rxx
github.com/pypa/advisory-database/tree/main/vulns/elixir/PYSEC-2012-13.yaml
nvd.nist.gov/vuln/detail/CVE-2012-2146

Detect and mitigate CVE-2012-2146 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →