Insecure Encryption Affecting github.com/gopasspw/gopass/internal/tpl package, versions <1.11.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Insecure Encryption vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMGOPASSPWGOPASSINTERNALTPL-1061912
  • published18 Jan 2021
  • disclosed18 Jan 2021
  • creditYolan Romailler

Introduced: 18 Jan 2021

CVE NOT AVAILABLE CWE-326  (opens in a new tab)

How to fix?

Upgrade github.com/gopasspw/gopass/internal/tpl to version 1.11.0 or higher.

Overview

github.com/gopasspw/gopass/internal/tpl is an a password manager for the command line.

Affected versions of this package are vulnerable to Insecure Encryption. Salted hash functions used in the templates are using only 4 bytes of random salt, which can lead to them being brute-forced.

CVSS Scores

version 3.1