<p>Upgrade <code>org.apache.directory.server:apacheds-kerberos-codec</code> to version 2.0.0.AM27 or higher.</p>

Cryptographic Issues Affecting org.apache.directory.server:apacheds-kerberos-codec package, versions [,2.0.0.AM27)

Snyk CVSS

Attack Complexity Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGAPACHEDIRECTORYSERVER-1063040
published 6 May 2021
disclosed 20 Jan 2021
credit Ya Xiao

Report a new vulnerability Found a mistake?

Introduced: 20 Jan 2021

CWE-310 Open this link in a new tab CWE-338 Open this link in a new tab

How to fix?

Upgrade org.apache.directory.server:apacheds-kerberos-codec to version 2.0.0.AM27 or higher.

Overview

Affected versions of this package are vulnerable to Cryptographic Issues. A static IV is used in symmetric encryption with CBC mode. The IV of CBC mode is expected to be random. The static IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack.

Cryptographic Issues Affecting org.apache.directory.server:apacheds-kerberos-codec package, versions [,2.0.0.AM27)

Snyk CVSS

Introduced: 20 Jan 2021

How to fix?

Overview

References