GMS-2020-423: Hardcoded Initialization Vector in parsel

September 4, 2020

All versions of parsel have a default hardcoded initialization vector. In cases where the IV is not provided, the package defaults to a hardcoded IV which renders the cipher vulnerable to chosen plaintext attacks. The package is deprecated and will not be updated. Consider using an alternative package.

References

github.com/advisories/GHSA-q643-w9jp-q2qg
www.npmjs.com/advisories/1460

Code Behaviors & Features

Detect and mitigate GMS-2020-423 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →