Bug 1216431 (CVE-2023-44690)

Summary: VUL-0: CVE-2023-44690: python-mycli: use of insecure AES-ECB
Product: [openSUSE] openSUSE Tumbleweed Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: John Paul Adrian Glaubitz <adrian.glaubitz>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: thomas.leroy
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382518/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-20 07:19:37 UTC 
Inadequate encryption strength in mycli 1.27.0 allows attackers to view
sensitive information via /mycli/config.py

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44690
https://github.com/dbcli/mycli/issues/1131
Comment 1 Thomas Leroy 2023-10-20 07:20:50 UTC 
openSUSE:Factory is affected
Comment 2 John Paul Adrian Glaubitz 2024-02-21 11:47:37 UTC 
According to upstream, this CVE is considered to be a false positive: https://github.com/dbcli/mycli/issues/1131#issuecomment-1849023748