Miggo Logo
Miggo Vulnerability Database
CVE-2024-33662

CVE-2024-33662: Portainer improperly uses an encryption algorithm in the AesEncrypt function

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-33662
GHSA ID
GHSA-9mjw-79r6-c9m8
EPSS Score
0.08125%
CWE
CWE-326
Published
10/2/2024
Updated
12/4/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/portainer/portainergo< 2.20.22.20.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The advisory explicitly names 'AesEncrypt' as the vulnerable function
  2. CWE-327 indicates use of broken cryptography, suggesting ECB mode or insecure configuration
  3. Common AES implementation flaws in Go include missing authentication (GCM mode not used) and IV mismanagement
  4. The pattern matches known vulnerabilities where 'AesEncrypt' naming indicates direct AES usage without proper mode specification
  5. File path is inferred from standard cryptographic utility locations in Go projects

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Port*in*r ***or* *.**.* improp*rly us*s *n *n*ryption *l*orit*m in t** `**s*n*rypt` *un*tion.

Reasoning

*. T** **visory *xpli*itly n*m*s '**s*n*rypt' *s t** vuln*r**l* *un*tion *. *W*-*** in*i**t*s us* o* *rok*n *rypto*r*p*y, su***stin* *** mo** or ins**ur* *on*i*ur*tion *. *ommon **S impl*m*nt*tion *l*ws in *o in*lu** missin* *ut**nti**tion (**M mo**