CVE-2023-26154
https://notcve.org/view.php?id=CVE-2023-26154
Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. **Note:** In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption. Versiones del paquete pubnub anteriores a 7.4.0; todas las versiones del paquete com.pubnub:pubnub; versiones del paquete pubnub anteriores a 6.19.0; todas las versiones del paquete github.com/pubnub/go; versiones del paquete github.com/pubnub/go/v7 anteriores a 7.2.0; versiones del paquete pubnub anteriores a 7.3.0; versiones del paquete pubnub/pubnub anteriores a 6.1.0; versiones del paquete pubnub anteriores a 5.3.0; versiones del paquete pubnub anteriores a 0.4.0; versiones del paquete pubnub/c-core anteriores a 4.5.0; versiones del paquete com.pubnub:pubnub-kotlin anteriores a 7.7.0; versiones del paquete pubnub/swift anteriores a 6.2.0; versiones del paquete pubnub anteriores a 5.2.0; Las versiones del paquete pubnub anteriores a la 4.3.0 son vulnerables a una entropía insuficiente a través de la función getKey, debido a una implementación ineficiente del algoritmo criptográfico AES-256-CBC. La función de cifrado proporcionada es menos segura cuando se aplica codificación y recorte hexadecimal, dejando la mitad de los bits de la clave siempre igual para cada mensaje o archivo codificado. • https://gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0 https://github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js%23L70 https://github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119 https://security.snyk.io/vuln/SNYK-COCOAPODS-PUBNUB-6098384 https://security.snyk.io/vuln/SNYK-DOTNET-PUBNUB-6098372 https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGO-6098373 https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGOV7-6098374 https://security.snyk.io/vuln/SNYK-JAVA • CWE-331: Insufficient Entropy •
CVE-2022-32389
https://notcve.org/view.php?id=CVE-2022-32389
Isode SWIFT v4.0.2 was discovered to contain hard-coded credentials in the Registry Editor. This allows attackers to access sensitive information such as user credentials and certificates. Se ha detectado que Isode SWIFT versión v4.0.2, contiene credenciales embebidas en el Editor del Registro. Esto permite a atacantes acceder a información confidencial como credenciales de usuario y certificados • https://gtn.com.np/wp-content/uploads/2022/06/SWIFT-CVE-REQUEST.pdf https://swift.im/downloads.html https://www.isode.com/products/swift.html • CWE-798: Use of Hard-coded Credentials •
CVE-2022-1642
https://notcve.org/view.php?id=CVE-2022-1642
A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. • https://github.com/apple/swift-corelibs-foundation/security/advisories/GHSA-239c-6cv2-wwx8 • CWE-241: Improper Handling of Unexpected Data Type CWE-351: Insufficient Type Distinction CWE-704: Incorrect Type Conversion or Cast •
CVE-2020-9861
https://notcve.org/view.php?id=CVE-2020-9861
A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input. Se presentó un problema de desbordamiento de pila en Swift para Linux. El problema se abordó con una comprobación de entrada mejorada para tratar entradas JSON maliciosas anidadas de forma profunda • https://forums.swift.org/t/swift-5-1-5-for-linux-jsonserialization-limit-recursion-when-parsing/34514 • CWE-674: Uncontrolled Recursion •
CVE-2019-8790
https://notcve.org/view.php?id=CVE-2019-8790
This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure. Este problema se abordó al actualizar la lógica de administración de descriptores de archivo URLSession incorrecta para que coincida con Swift versión 5.0. Este problema se corrigió en Swift versión 5.1.1 para Ubuntu. • https://support.apple.com/en-us/HT210647 • CWE-922: Insecure Storage of Sensitive Information •