CVE-2022-29249

Reversible One-Way Hash and Use of a Broken or Risky Cryptographic Algorithm in io.github.javaezlib.JavaEZ

CVSS 7.5 HIGHEPSS 0.7%CWE-327 CWE-328

In short

JavaEZ 1.6 uses weak encryption that can be broken by attackers to decrypt locked text. This is a serious problem if you're using this library to protect sensitive information.

Technical detail

CVE-2022-29249 exploits a reversible one-way hash and broken cryptographic algorithm (CWE-327, CWE-328) in JavaEZ 1.6's encryption mechanism, allowing unauthorized decryption of protected data. An attacker with access to encrypted text can recover plaintext without authentication. The vulnerability is isolated to version 1.6; upgrading to 1.7 or later is the only remediation path.

Summary generated and translated by AI from the official description.

JavaEZ is a library that adds new functions to make Java easier. A weakness in JavaEZ 1.6 allows force decryption of locked text by unauthorized actors. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. The vulnerability has been patched in release 1.7. Currently, there is no way to fix the issue without upgrading.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

JavaEZLib · JavaEZ

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/JavaEZLib/JavaEZ/releases/tag/1.7 https://github.com/JavaEZLib/JavaEZ/security/advisories/GHSA-67fj-6w6m-w5j8