Miggo Logo
Miggo Vulnerability Database
GHSA-r2r8-36pq-27cm

GHSA-r2r8-36pq-27cm: nzo/url-encryptor-bundle Insecure default secret key and IV allowing anyone to decrypt values

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-r2r8-36pq-27cm
EPSS Score
-
CWE
-
Published
5/17/2024
Updated
5/17/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
nzo/url-encryptor-bundlecomposer>= 5.0.0, < 5.0.15.0.1
nzo/url-encryptor-bundlecomposer>= 4.0.0, < 4.3.24.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) The UrlEncryptor's constructor accepted empty secrets and used a flawed IV derivation method (static length, key reuse). 2) The bundle's configuration schema permitted empty secrets. The commit patched both by making secrets required and improving IV generation. The __construct function's pre-patch behavior directly enabled insecure cryptographic parameters, while the Configuration setup allowed these parameters to remain unconfigured.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* nzo/url-*n*ryptor-*un*l* prior to *.*.* *n* *.*.* *r* *****t** *y * s**urity vuln*r**ility r*l*t** to t** l**k o* m*n**tory k*y *n* IV r*quir*m*nts. *y ****ult, t** *un*l* us*s t** **s-***-*tr *l*orit*m, w*i** is sus**pti*l* to m*ll***ili

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) T** `Url*n*ryptor`'s *onstru*tor ****pt** *mpty s**r*ts *n* us** * *l*w** IV **riv*tion m*t*o* (st*ti* l*n*t*, k*y r*us*). *) T** *un*l*'s `*on*i*ur*tion` s***m* p*rmitt** *mpty s**r*ts. T** *ommit p*