Skip to content

Latest commit

 

History

History
43 lines (32 loc) · 1.21 KB

CVE-2023-50481.md

File metadata and controls

43 lines (32 loc) · 1.21 KB
Raw

BUG_Author: Kelsey Tian

Affected Version: blinksocks v3.3.8

Vendor: blinksocks https://github.com/blinksocks/blinksocks

Software: https://github.com/blinksocks/blinksocks

Vulnerability File: https://github.com/blinksocks/blinksocks/blob/master/lib/presets/ssr-auth-aes128.js https://github.com/blinksocks/blinksocks/blob/master/lib/presets/ssr-auth-chain.js

Using the non-random IV for CBC and CFB modes

  1. lib/presets/ssr-auth-aes128.js, line 100
  2. lib/presets/ssr-auth-chain.js, line 163 Using insecure symmetric-key algorithms: RC4
  3. lib/presets/ssr-auth-chain.js, line 173
  4. lib/presets/ssr-auth-chain.js, line 278
  5. lib/presets/ssr-auth-chain.js, line 391
  6. lib/presets/ssr-auth-chain.js, line 436

Vulnerability Type: CWE-329, CWE1204: Generation of Weak Initialization Vector (IV)

Attack Type: Remote

Impact: Information Disclosure

Severity: High

Description: Some code snippets in the project use outdated encryption algorithms and fixed initialization vectors, which may lead to security vulnerabilities. It is recommended to improve the security and data integrity of the system by updating the encryption algorithm and initialization vector.

References: blinksocks/blinksocks#108