Miggo Logo
Miggo Vulnerability Database
CVE-2018-20999

CVE-2018-20999: Flaw in streaming state in orion

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-20999
GHSA ID
GHSA-gffv-5hr2-f9gj
EPSS Score
0.55713%
CWE
CWE-682
Published
8/25/2021
Updated
6/13/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
orionrust< 0.11.20.11.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper state reset in streaming APIs. Cryptographic streaming primitives like Chacha20 and Poly1305 in Orion would logically require stateful operations with reset capabilities. The advisory specifically mentions incorrect results from reset-before-finalize patterns, which aligns with how these algorithms manage internal buffers and nonces. The high confidence comes from: 1) The CWE-682 classification indicating calculation errors 2) The reset() function being explicitly mentioned in the advisory 3) Standard cryptographic library patterns where streaming APIs require careful state management 4) Historical precedent for similar vulnerabilities in streaming cipher implementations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* t*is *r*t* *i* not prop*rly r*s*t * str**min* st*t*. R*s*ttin* * str**min* st*t*, wit*out *in*lisin* it *irst, *r**t*s in*orr**t r*sults. T** *l*w w*s *orr**t** *y not *irst ****kin* i* t** st*t* *** *lr***y ***n r*s*t, w**n **ll

Reasoning

T** vuln*r**ility **nt*rs on improp*r st*t* r*s*t in str**min* *PIs. *rypto*r*p*i* str**min* primitiv*s lik* ******** *n* Poly**** in Orion woul* lo*i**lly r*quir* st*t**ul op*r*tions wit* r*s*t **p**iliti*s. T** **visory sp**i*i**lly m*ntions in*orr