Bit-Flipping Attack The advisory has been revoked - it doesn't affect any version of package parsel Open this link in a new tab

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-PARSEL-542919
published 22 Jan 2020
disclosed 22 Jan 2020
credit Salesforce Product Security

Report a new vulnerability Found a mistake?

Introduced: 22 Jan 2020

CVE-2020-6763 Open this link in a new tab CWE-649 Open this link in a new tab First added by Snyk

Amendment

This was deemed not a vulnerability.

Overview

parsel is a gem to encrypt and decrypt data with a given key.

Affected versions of this package are vulnerable to Bit-Flipping Attack via the ciphertext function. AES-256-CBC, the construct used in parsel.rb, has no integrity check (i.e., there is no MAC for integrity.)

Details

A bit-flipping attack is an attack on a cryptographic cipher in which the attacker can change the ciphertext in such a way as to result in a predictable change of the plaintext, although the attacker is not able to learn the plaintext itself.

References

GitHub Vulnerable Code