Miggo Logo
Miggo Vulnerability Database
CVE-2012-2146

CVE-2012-2146:
Elixir can leak information due to weak use of crypto

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2012-2146
GHSA ID
GHSA-vfcg-5ggc-3rxx
EPSS Score
0.6335%
CWE
CWE-327
Published
5/17/2022
Updated
9/20/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Elixirpip<= 0.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure IV handling in Blowfish-CFB encryption. The encrypt_value function shown in references uses Blowfish.new(secret, Blowfish.MODE_CFB) without specifying an IV, which defaults to all-zero. This violates cryptographic best practices for CFB mode, allowing attackers to derive plaintext patterns from ciphertexts. The patch introduces AES with proper IV generation, confirming the original function's weakness. The test case showing fixed ciphertext output in comment #38 further validates this function as the vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*lixir prior to *n* in*lu*in* *.*.* us*s *low*is* in *** mo** wit*out *onstru*tin* * uniqu* initi*liz*tion v**tor (IV), w*i** m*k*s it **si*r *or *ont*xt-**p*n**nt us*rs to o*t*in s*nsitiv* in*orm*tion *n* ***rypt t** **t***s*. * p*t** **s ***n [*tt*

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* IV **n*lin* in *low*is*-*** *n*ryption. T** *n*rypt_v*lu* *un*tion s*own in r***r*n**s us*s *low*is*.n*w(s**r*t, *low*is*.MO**_***) wit*out sp**i*yin* *n IV, w*i** ****ults to *ll-z*ro. T*is viol*t*s *rypto*r*p*i