openssl-encrypt 1.4.0b3

Direct Vulnerabilities

Known vulnerabilities in the openssl-encrypt package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Use of GET Request Method With Sensitive Query Strings openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings via the `refresh_token` parameter in URL query strings. An attacker can obtain sensitive authentication tokens by accessing server logs, proxy or CDN logs, browser history, HTTP Referer headers, or through network monitoring tools. How to fix Use of GET Request Method With Sensitive Query Strings? Upgrade `openssl-encrypt` to version 1.4.0 or higher.	[,1.4.0)
C Incorrect Authorization openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this package are vulnerable to Incorrect Authorization via the CORS configuration. An attacker can gain unauthorized access to sensitive API endpoints by making authenticated cross-origin requests from a malicious website. How to fix Incorrect Authorization? Upgrade `openssl-encrypt` to version 1.4.0 or higher.	[,1.4.0)
H Missing Authorization openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this package are vulnerable to Missing Authorization in the `revoke_key` function. An attacker can revoke another user's key by providing a valid revocation signature without ownership verification. How to fix Missing Authorization? Upgrade `openssl-encrypt` to version 1.4.0 or higher.	[,1.4.0)
H Insertion of Sensitive Information Into Sent Data openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the `ready` endpoint in the server. An attacker can obtain sensitive database error information, including hostnames, IP addresses, connection parameters, driver versions, and potentially credentials, by sending unauthenticated requests and receiving detailed exception messages in the response. How to fix Insertion of Sensitive Information Into Sent Data? Upgrade `openssl-encrypt` to version 1.4.0 or higher.	[,1.4.0)
H Improper Verification of Cryptographic Signature openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the `from_dict` and `to_identity` methods. An attacker can cause sensitive information to be encrypted to an attacker's public key by supplying a malicious key bundle that is not properly verified before conversion to an identity. How to fix Improper Verification of Cryptographic Signature? Upgrade `openssl-encrypt` to version 1.4.0 or higher.	[,1.4.0)
C Uncontrolled Search Path Element openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this package are vulnerable to Uncontrolled Search Path Element through the dynamic loading in `hash_registry.py` when a broad glob pattern is used to locate `.so` files without verifying their integrity. An attacker can execute arbitrary native code by placing a malicious `.so` file matching the expected pattern in a site-packages directory. How to fix Uncontrolled Search Path Element? Upgrade `openssl-encrypt` to version 1.4.0 or higher.	[,1.4.0)
C Allocation of Resources Without Limits or Throttling openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of an in-memory `defaultdict` for rate limiting in the TOTP authentication. An attacker can bypass rate limiting by distributing authentication attempts across multiple server instances or by restarting the server to reset the rate limit state. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `openssl-encrypt` to version 1.4.0 or higher.	[,1.4.0)
H Credential Exposure openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this package are vulnerable to Credential Exposure via the `--password` and `--keystore-password` CLI arguments, which are visible in the process list to any user on the system. An attacker can obtain sensitive credentials by inspecting running processes or accessing process command-line arguments. How to fix Credential Exposure? Upgrade `openssl-encrypt` to version 1.4.0 or higher.	[,1.4.0)
H Improper Check for Unusual or Exceptional Conditions openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the schema validation when the `jsonschema` library is not installed or when unknown metadata format versions are provided. An attacker can bypass all schema validation by removing the required library from the environment or by supplying metadata with an unrecognized version, resulting in the acceptance of malformed or malicious data. How to fix Improper Check for Unusual or Exceptional Conditions? Upgrade `openssl-encrypt` to version 1.4.0 or higher.	[,1.4.0)
H Insufficient Entropy openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this package are vulnerable to Insufficient Entropy in the `generate_pseudorandom_sequence` function. An attacker can predict the sequence of pixel or sample selection by recovering the state of the pseudorandom number generator, allowing the extraction of hidden data without needing the password. How to fix Insufficient Entropy? Upgrade `openssl-encrypt` to version 1.4.0 or higher.	[,1.4.0)

Vulnerability

Vulnerable Version

Use of GET Request Method With Sensitive Query Strings

openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files

Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings via the refresh_token parameter in URL query strings. An attacker can obtain sensitive authentication tokens by accessing server logs, proxy or CDN logs, browser history, HTTP Referer headers, or through network monitoring tools.

How to fix Use of GET Request Method With Sensitive Query Strings?