GHSA-r2r8-36pq-27cm: nzo/url-encryptor-bundle Insecure default secret key and IV allowing anyone to decrypt values
Versions of nzo/url-encryptor-bundle prior to 5.0.1 and 4.3.2 are affected by a security vulnerability related to the lack of mandatory key and IV requirements. By default, the bundle uses the aes-256-ctr algorithm, which is susceptible to malleability attacks, potentially leading to Insecure Direct Object Reference (IDOR) vulnerabilities. Additionally, the reuse of keys enables users to decrypt and modify encrypted data if they can guess the plaintext of one ciphertext.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/nzo/url-encryptor-bundle/2020-05-03.yaml
- github.com/advisories/GHSA-r2r8-36pq-27cm
- github.com/nayzo/NzoUrlEncryptorBundle
- github.com/nayzo/NzoUrlEncryptorBundle/commit/ba3af1a9bcf3bedcc0ed5948979f482e2134da1a
- github.com/nayzo/NzoUrlEncryptorBundle/commit/bd8232501c12c9df1bc45b1970870ef665218581
Code Behaviors & Features
Detect and mitigate GHSA-r2r8-36pq-27cm with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →