Insecure Randomness Affecting pypinksign package, versions [0,]


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.06% (27th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-PYPINKSIGN-6068108
  • published 17 Nov 2023
  • disclosed 16 Nov 2023
  • credit gxx777

How to fix?

There is no fixed version for pypinksign.

Overview

pypinksign is a Basic NPKI module.

Affected versions of this package are vulnerable to Insecure Randomness due to improper encryption operations. An attacker could exploit the patterns of the encrypted data, that is less secure.

Workaround

Users should not set default constant IV for CBC encryption. Users should modify the encryption process to generate a random IV each time an encryption operation is performed.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

7.5 high