CVE-2024-28864

CVSS 3.1 Score 2.6 of 10 (low)

Details

Published Mar 18, 2024
Updated: Mar 19, 2024
CWE ID 1333

Summary

CVE-2024-28864 is a vulnerability in the SecureProps PHP library versions 1.2.0 and 1.2.1. The vulnerability occurs when decrypting encrypted data that has been encoded with NullEncoder and passed to TagAwareCipher, causing the regex to fail in detecting tags. This results in the decryption process being skipped and the encrypted data being returned in plain format. Users who implement TagAwareCipher with any base cipher that has NullEncoder are affected. The issue has been patched in version 1.2.2, and users are advised to update to this version. As a workaround, users may use the default Base64Encoder with the base cipher decorated with TagAwareCipher to prevent special characters from interfering with regex tag detection logic. The vulnerability poses a low risk with low privileges required, user interaction required, and network attack vector, resulting in low confidentiality impact but no integrity or availability impacts identified.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-28864 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options