CVE-2023-48053

# Cryptographic API Misuse Vulnerability in Archery v1.10.0 - Do not use constant key for encryption - Do not use non-random/static predictable IVs in CBC ### Description: In the Archery v1.10.0 , it is a SQL audit query platform. - It uses a hard-coded, constant key for encryption operations, which is a security risk as it makes encrypted data susceptible to being decrypted by anyone who has access to the source code or the constant key itself. `salt=eCcGFZQj6PNoSSma31LR39rTzTbLkU8E` - It utilizes a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. Using predictable IVs can lead to vulnerabilities like the disclosure of information about the plaintext of subsequent messages. `IV=0000000000000000` ### Affected Version v1.10.0 ### Location: https://github.com/hhyo/Archery/blob/master/common/utils/aes_decryptor.py#L7 https://github.com/hhyo/Archery/blob/master/common/utils/aes_decryptor.py#L13 https://github.com/hhyo/Archery/blob/master/common/utils/aes_decryptor.py#L33 ### Reference - CWE-259: Use of Hard-coded Password - CWE-329: Generation of Predictable IV with CBC Mode - CWE-330: Use of Insufficiently Random Values ### Expected Behavior: - The encryption key should be random , generated dynamically and stored securely. - The IV for CBC mode should be random and unpredictable for each encryption operation to ensure the security of the encryption scheme. ### Actual Behavior: - The code uses a constant key for encryption which is visible and accessible to anyone who examines the code. `salt=eCcGFZQj6PNoSSma31LR39rTzTbLkU8E` - A static IV is used across encryption operations, making the encrypted data less secure and potentially leading to patterns that can be exploited by attackers. `IV=0000000000000000` ### Recommendation: 1. Implement a secure method to generate a encryption key for each user or session, and store it using secure storage mechanisms. 2. Modify the encryption process to generate a random IV each time an encryption operation is performed. Addressing these issues is critical to maintaining the confidentiality and integrity of the data processed by Archery. It is recommended to take immediate action to correct these vulnerabilities and prevent potential exploits.