Vulnerability Description
An issue was discovered in sysPass 2.x before 2.1, in which an algorithm was never sufficiently reviewed by cryptographers. The fact that inc/SP/Core/Crypt.class is using the MCRYPT_RIJNDAEL_256() function (the 256-bit block version of Rijndael, not AES) instead of MCRYPT_RIJNDAEL_128 (real AES) could help an attacker to create unknown havoc in the remote system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Syspass | Syspass | 2.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/96562Third Party AdvisoryVDB Entry
- https://cxsecurity.com/issue/WLB-2017020196Third Party Advisory
- https://github.com/nuxsmin/sysPass/commit/a0e2c485e53b370a7cc6d833e192c3c5bfd70ePatch
- https://github.com/nuxsmin/sysPass/releases/tag/2.1.0.17022601PatchRelease Notes
- http://www.securityfocus.com/bid/96562Third Party AdvisoryVDB Entry
- https://cxsecurity.com/issue/WLB-2017020196Third Party Advisory
- https://github.com/nuxsmin/sysPass/commit/a0e2c485e53b370a7cc6d833e192c3c5bfd70ePatch
- https://github.com/nuxsmin/sysPass/releases/tag/2.1.0.17022601PatchRelease Notes
FAQ
What is CVE-2017-5999?
CVE-2017-5999 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in sysPass 2.x before 2.1, in which an algorithm was never sufficiently reviewed by cryptographers. The fact that inc/SP/Core/Crypt.class is using the MCRYPT_RIJNDAEL_256() fun...
How severe is CVE-2017-5999?
CVE-2017-5999 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5999?
Check the references section above for vendor advisories and patch information. Affected products include: Syspass Syspass.