CVE-2023-26154

Summary

CVE-2023-26154 is a vulnerability that affects multiple versions of the PubNub package, including versions before 7.4.0, 6.19.0, and 7.3.0, as well as various other packages such as com.pubnub:pubnub and github.com/pubnub/go/v7. The vulnerability is due to an inefficient implementation of the AES-256-CBC cryptographic algorithm in the getKey function, which results in insufficient entropy. This means that the provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message. The vulnerability poses a medium risk with a base score of 5.9 according to [email protected], with high impact on confidentiality but no impact on integrity or availability. The exploitability score is 2.2 out of 10, indicating a relatively low level of ease for an attacker to exploit this vulnerability remotely without any privileges required from the user.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.