Miggo Logo
Miggo Vulnerability Database
CVE-2024-36823

CVE-2024-36823: Weak encryption in Ninja Core

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-36823
GHSA ID
GHSA-92wp-jghr-hh87
EPSS Score
0.90592%
CWE
CWE-326
Published
6/7/2024
Updated
6/7/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.ninjaframework:ninja-coremaven= 7.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability description explicitly mentions the encrypt() function as the source of weak encryption.
  2. The GitHub issue #759 directly analyzes CookieEncryption.java, showing AES/ECB usage through Cipher.getInstance("AES") which defaults to ECB mode.
  3. The ECB mode's insecure nature (identical plaintext blocks producing identical ciphertext) is well-documented and matches the described information leakage scenario.
  4. The test case in CookieEncryptionTest.java demonstrates predictable ciphertext patterns confirming ECB usage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *n*rypt() *un*tion o* Ninj* *or* v*.*.* w*s *is*ov*r** to us* * w**k *rypto*r*p*i* *l*orit*m, l***in* to * possi*l* l**k*** o* s*nsitiv* in*orm*tion.

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly m*ntions t** *n*rypt() *un*tion *s t** sour** o* w**k *n*ryption. *. T** *it*u* issu* #*** *ir**tly *n*lyz*s *ooki**n*ryption.j*v*, s*owin* **S/*** us*** t*rou** *ip**r.**tInst*n**("**S") w*i** ****ults to
CVE-2024-36823: Ninja Core Encrypt Info Leak | Miggo