Severity: high

Hardcoded Initialization Vector



All versions of parsel have a default hardcoded initialization vector. In cases where the IV is not provided, the package defaults to a hardcoded IV which renders the cipher vulnerable to chosen plaintext attacks.


The package is deprecated and will not be updated. Consider using an alternative package.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jan 23rd, 2020
  2. reported

    Reported by Salesforce Product Security
    Jan 23rd, 2020