CVE-2023-48056: PyPinkSign uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption
(updated )
PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.
References
- github.com/advisories/GHSA-fxff-wxxv-c2jc
- github.com/bandoche/PyPinkSign
- github.com/bandoche/PyPinkSign/blob/main/pypinksign/pypinksign.py
- github.com/bandoche/PyPinkSign/blob/main/pypinksign/pypinksign.py
- github.com/bandoche/PyPinkSign/commit/e1809ddf6a266e9007e10f0486b462fa7f89a43d
- github.com/bandoche/PyPinkSign/issues/29
- github.com/pypa/advisory-database/tree/main/vulns/pypinksign/PYSEC-2023-245.yaml
- gxx777.github.io/PyPinkSign_v0.5.1_Cryptographic_API_Misuse_Vulnerability.md
- nvd.nist.gov/vuln/detail/CVE-2023-48056
Detect and mitigate CVE-2023-48056 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →