CVE-2023-26154
Description
Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. Note: In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pubnubnpm | < 7.4.0 | 7.4.0 |
com.pubnub:pubnub-kotlinMaven | < 7.7.0 | 7.7.0 |
com.pubnub:pubnubMaven | <= 4.6.5 | — |
github.com/pubnub/go/v7Go | < 7.2.0 | 7.2.0 |
github.com/pubnub/goGo | < 0.0.0-20231016150651-428517fef5b9 | 0.0.0-20231016150651-428517fef5b9 |
github.com/pubnub/go/v6Go | < 6.1.1-0.20231016150651-428517fef5b9 | 6.1.1-0.20231016150651-428517fef5b9 |
github.com/pubnub/go/v5Go | < 5.0.4-0.20231016150651-428517fef5b9 | 5.0.4-0.20231016150651-428517fef5b9 |
PubnubNuGet | < 6.19.0 | 6.19.0 |
github.com/pubnub/swiftSwiftURL | < 6.2.0 | 6.2.0 |
pubnubRubyGems | < 5.3.0 | 5.3.0 |
pubnubcrates.io | < 0.4.0 | 0.4.0 |
pubnub/pubnubPackagist | < 6.1.0 | 6.1.0 |
pubnubPub | < 4.3.0 | 4.3.0 |
pubnubPyPI | < 7.3.0 | 7.3.0 |
Affected products
16- ghsa-coords15 versionspkg:cargo/pubnubpkg:composer/pubnub/pubnubpkg:gem/pubnubpkg:golang/github.com/pubnub/gopkg:golang/github.com/pubnub/go/v5pkg:golang/github.com/pubnub/go/v6pkg:golang/github.com/pubnub/go/v7pkg:maven/com.pubnub/pubnubpkg:maven/com.pubnub/pubnub-kotlinpkg:npm/pubnubpkg:nuget/pubnubpkg:pub/pubnubpkg:pypi/pubnubpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:swift/github.com/pubnub/swift
< 0.4.0+ 14 more
- (no CPE)range: < 0.4.0
- (no CPE)range: < 6.1.0
- (no CPE)range: < 5.3.0
- (no CPE)range: < 0.0.0-20231016150651-428517fef5b9
- (no CPE)range: < 5.0.4-0.20231016150651-428517fef5b9
- (no CPE)range: < 6.1.1-0.20231016150651-428517fef5b9
- (no CPE)range: < 7.2.0
- (no CPE)range: <= 4.6.5
- (no CPE)range: < 7.7.0
- (no CPE)range: < 7.4.0
- (no CPE)range: < 6.19.0
- (no CPE)range: < 4.3.0
- (no CPE)range: < 7.3.0
- (no CPE)range: < 0.0.20250818T190335-1.1
- (no CPE)range: < 6.2.0
Patches
Vulnerability mechanics
References
22- github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119nvdPatchWEB
- gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0nvdExploitIssue TrackingWEB
- github.com/advisories/GHSA-5844-q3fc-56rhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26154ghsaADVISORY
- security.snyk.io/vuln/SNYK-COCOAPODS-PUBNUB-6098384nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-DOTNET-PUBNUB-6098372nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGO-6098373nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGOV7-6098374nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-JAVA-COMPUBNUB-6098371nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-JAVA-COMPUBNUB-6098380nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-JS-PUBNUB-5840690nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-PHP-PUBNUBPUBNUB-6098376nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-PUB-PUBNUB-6098385nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-PYTHON-PUBNUB-6098375nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-RUBY-PUBNUB-6098377nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-RUST-PUBNUB-6098378nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-SWIFT-PUBNUBSWIFT-6098381nvdThird Party AdvisoryWEB
- security.snyk.io/vuln/SNYK-UNMANAGED-PUBNUBCCORE-6098379nvdThird Party AdvisoryWEB
- github.com/pubnub/go/commit/428517fef5b901db7275d9f5a75eda89a4c28e08ghsaWEB
- github.com/pubnub/javascript/blob/master/src/crypto/modules/web.jsghsaWEB
- github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js%23L70nvdBroken Link
- github.com/rubysec/ruby-advisory-db/blob/master/gems/pubnub/CVE-2023-26154.ymlghsaWEB
News mentions
0No linked articles in our index yet.