1216431 – (CVE-2023-44690) VUL-0: CVE-2023-44690: python-mycli: use of insecure AES-ECB

Bug 1216431 (CVE-2023-44690) - VUL-0: CVE-2023-44690: python-mycli: use of insecure AES-ECB

Summary: VUL-0: CVE-2023-44690: python-mycli: use of insecure AES-ECB

Status:	NEW

Alias:	CVE-2023-44690

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	John Paul Adrian Glaubitz
QA Contact:	E-mail List

URL:	https://smash.suse.de/issue/382518/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-10-20 07:19 UTC by SMASH SMASH
Modified:	2024-02-21 11:47 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-10-20 07:19:37 UTC

Inadequate encryption strength in mycli 1.27.0 allows attackers to view
sensitive information via /mycli/config.py

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-44690
https://github.com/dbcli/mycli/issues/1131

Comment 1 Thomas Leroy 2023-10-20 07:20:50 UTC

openSUSE:Factory is affected

Comment 2 John Paul Adrian Glaubitz 2024-02-21 11:47:37 UTC

According to upstream, this CVE is considered to be a false positive: https://github.com/dbcli/mycli/issues/1131#issuecomment-1849023748