Homepage
About Snyk

Insufficient Verification of Data Authenticity Affecting ilicmiljan/secure-props package, versions >=1.2.0, <1.2.2

0.0
low

Snyk CVSS

    Attack Complexity High
    User Interaction Required

    Threat Intelligence

    EPSS 0.05% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-ILICMILJANSECUREPROPS-6468184
  • published 20 Mar 2024
  • disclosed 18 Mar 2024
  • credit IlicMiljan
Report a new vulnerability Found a mistake?

Introduced: 18 Mar 2024

CVE-2024-28864 Open this link in a new tab
CWE-347 Open this link in a new tab

How to fix?

Upgrade ilicmiljan/secure-props to version 1.2.2 or higher.

Overview

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to the TagAwareCipher process. An attacker can cause the decryption process to be skipped, resulting in encrypted data being returned in plain format, by encoding the data with NullEncoder and including special characters such as \n which are not detected by the regex used for tag detection.

Note

This is only exploitable if TagAwareCipher is implemented with any base cipher that has NullEncoder (not default).

Workaround

This vulnerability can be mitigated by using the default Base64Encoder with the base cipher decorated with TagAwareCipher to prevent special characters in the encrypted string from interfering with regex tag detection logic. This workaround is safe but may involve double encoding since TagAwareCipher uses Base64Encoder by default.