Hardcoded Initialization Vector in parsel
High severity
GitHub Reviewed
Published
Sep 4, 2020
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Reviewed
Aug 31, 2020
Published to the GitHub Advisory Database
Sep 4, 2020
Last updated
Jan 9, 2023
All versions of
parsel
have a default hardcoded initialization vector. In cases where the IV is not provided, the package defaults to a hardcoded IV which renders the cipher vulnerable to chosen plaintext attacks.Recommendation
The package is deprecated and will not be updated. Consider using an alternative package.
References