Insufficient Entropy in AES Encryption for Lemur by Netflix
CVE-2015-7764

7.5HIGH

Key Information:

Vendor

Netflix

Status
Lemur
Vendor
CVE Published:
9 August 2017
đź”” Create Netflix Vulnerability Alert

What is CVE-2015-7764?

Lemur 0.1.4, an open-source tool developed by Netflix, is vulnerable to a significant cryptographic issue due to insufficient entropy in its initialization vector (IV) during AES encryption in CBC mode. This flaw could potentially allow attackers to determine encryption keys or decrypt sensitive information, posing risks to data confidentiality. It is crucial for users of Lemur to address this vulnerability by updating to a more secure version or implementing additional security measures to ensure robust encryption practices.

References

https://github.com/Netflix/lemur/issues/117
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2015/10/20/3
mailing-listx_refsource_MLIST
https://github.com/kvesteri/sqlalchemy-utils/issues/166
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.