Insufficient Verification of Data Authenticity Affecting ilicmiljan/secure-props package, versions >=1.2.0, <1.2.2
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-ILICMILJANSECUREPROPS-6468184
- published 20 Mar 2024
- disclosed 18 Mar 2024
- credit IlicMiljan
Introduced: 18 Mar 2024
CVE-2024-28864 Open this link in a new tabHow to fix?
Upgrade ilicmiljan/secure-props
to version 1.2.2 or higher.
Overview
Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to the TagAwareCipher
process. An attacker can cause the decryption process to be skipped, resulting in encrypted data being returned in plain format, by encoding the data with NullEncoder
and including special characters such as \n
which are not detected by the regex used for tag detection.
Note
This is only exploitable if TagAwareCipher
is implemented with any base cipher that has NullEncoder
(not default).
Workaround
This vulnerability can be mitigated by using the default Base64Encoder
with the base cipher decorated with TagAwareCipher
to prevent special characters in the encrypted string from interfering with regex tag detection logic.
This workaround is safe but may involve double encoding since TagAwareCipher
uses Base64Encoder
by default.