CVE-2012-2146

High

Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for…

redhat·CWE-310·Published 2012-08-26

CVSS

7.5

EPSS

0.02

KEV

Exploits

cve.orgen

204 chars

Elixir 0.8.0 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database.

NVDen

204 chars

OSV.deven

204 chars

GHSAen

390 chars

Elixir prior to and including 0.7.1 uses Blowfish in CFB mode without constructing a unique initialization vector (IV), which makes it easier for context-dependent users to obtain sensitive information and decrypt the database. A patch has been [attached](https://sochotni.fedorapeople.org/python-elixir-aes-encryption-addition.patch) to the initial advisory to mitigate this vulnerability.

NVDes

237 chars

Elixir v0.8.0 utiliza Blowfish en el modo CFB sin construir un vector único de inicialización (IV), lo cual hace que sea más fácil para los usuarios dependientes de contexto obtener la información sensible y descifrar la base de datos.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N
3.1	Secondary	GHSA	7.5	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0	Secondary	GHSA	8.7	—	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N