Inadequate Encryption Strength Affecting magic-crypt package, versions >=0.0.0

Q: How to fix?

There is no fixed version for magic-crypt .

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Inadequate Encryption Strength vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-RUST-MAGICCRYPT-8554004
published31 Dec 2024
disclosed30 Dec 2024
creditfrozolotl

Report a new vulnerability Found a mistake?

Introduced: 30 Dec 2024

NewCWE-326 (opens in a new tab)

How to fix?

There is no fixed version for magic-crypt.

Overview

Affected versions of this package are vulnerable to Inadequate Encryption Strength due to the usage of MagicCrypt64 which uses the insecure DES block cipher in CBC mode without authentication. An attacker can decrypt data or execute padding oracle attacks by exploiting the weak cryptographic implementation.

References

GitHub Issue

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None