Miggo Logo
Miggo Vulnerability Database
CVE-2023-51839

CVE-2023-51839: DeviceFarmer stf uses DES-ECB

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-51839
GHSA ID
GHSA-7xm8-wjq7-88r5
EPSS Score
0.29836%
CWE
CWE-327
Published
1/29/2024
Updated
2/6/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@devicefarmer/stfnpm<= 3.6.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly traced to line 35 of lib/util/vncauth.js where crypto.createCipheriv('des-ecb', ...) is called. DES-ECB is a deprecated algorithm that encrypts identical plaintext blocks to identical ciphertext blocks, making it vulnerable to pattern analysis attacks. The empty IV (Buffer.alloc(0)) and 56-bit DES key length further exacerbate the weakness. The code's direct use of this insecure algorithm matches the CWE-327 description and advisory references.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**vi****rm*r st* v*.*.* su***rs *rom Us* o* * *rok*n or Risky *rypto*r*p*i* *l*orit*m.

Reasoning

T** vuln*r**ility is *xpli*itly tr**** to lin* ** o* `li*/util/vn**ut*.js` w**r* `*rypto.*r**t**ip**riv`('**s-***', ...) is **ll**. **S-*** is * **pr***t** *l*orit*m t**t *n*rypts i**nti**l pl*int*xt *lo*ks to i**nti**l *ip**rt*xt *lo*ks, m*kin* it v