CVE-2024-53441: Bit flip attack vulnerability in cookie-encrypter
(updated )
due to a weakness in the encryption method used in cookie-encrypter an attack can use the world visible IV to edit encrypted cookies without decrypting the cookie itself. This is known as an AES CBC bit flipping attack.
References
- crypto.stackexchange.com/questions/66085/bit-flipping-attack-on-cbc-mode
- gist.github.com/mathysEthical/f45f1503f87381090e38a33c50eec971
- github.com/advisories/GHSA-h63v-hw6g-x8hp
- github.com/ebourmalo/cookie-encrypter
- github.com/ebourmalo/cookie-encrypter/issues/9
- mathys.reboux.pro/CVE/2024/53441
- nvd.nist.gov/vuln/detail/CVE-2024-53441
Code Behaviors & Features
Detect and mitigate CVE-2024-53441 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →