VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Sep 15, 2012· Updated Apr 29, 2026

CVE-2012-3458

CVE-2012-3458

Description

Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
beakerPyPI
< 1.6.41.6.4

Affected products

1

Patches

1
91becae76101

Apply patch from Redhat to secure pycrypto that otherwise could allow an attacker to determine contents of the encrypted payload (but is unable to modify).

https://github.com/bbangert/beakerBen BangertAug 7, 2012via ghsa
commit
1 file changed · +6 5
  • beaker/crypto/pycrypto.py+6 5 modified
    @@ -15,17 +15,18 @@ def aesEncrypt(data, key):
 
 except ImportError:
     from Crypto.Cipher import AES
+    from Crypto.Util import Counter
 
     def aesEncrypt(data, key):
-        cipher = AES.new(key)
+        cipher = AES.new(key, AES.MODE_CTR,
+                         counter=Counter.new(128, initial_value=0))
 
-        data = data + (" " * (16 - (len(data) % 16)))
         return cipher.encrypt(data)
 
     def aesDecrypt(data, key):
-        cipher = AES.new(key)
-
-        return cipher.decrypt(data).rstrip()
+        cipher = AES.new(key, AES.MODE_CTR,
+                         counter=Counter.new(128, initial_value=0))
+        return cipher.decrypt(data)
 
 def getKeyLength():
     return 32

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.