CVE-2023-44690: Cryptographic API Misuse Vulnerability: AES ECB used for configuration · Issue #1131 · dbcli/mycli

Description:
I have identified a security vulnerability in the mycli project’s use of AES ECB (Electronic Codebook) mode for configuration. This vulnerability can potentially expose sensitive information and compromise the security of the application.

Locations:

1. https://github.com/dbcli/mycli/blob/main/mycli/config.py#L192
2. https://github.com/dbcli/mycli/blob/main/mycli/config.py#L270

Version:
mycli <= 1.27.0

Expected Behavior:
Instead of using AES ECB, it is recommended to use more secure encryption modes, such as AES CBC (Cipher Block Chaining) or AES GCM (Galois/Counter Mode), for configuration in order to enhance the security of mycli.

Actual Behavior:
Upon inspecting the config.py file, it has been found that AES ECB mode is used for configuration at line 192 and line 270. AES ECB does not provide adequate security due to its lack of diffusion and pattern repetition, making it vulnerable to certain attacks.

Recommendations:
It is strongly recommended to update the mycli project’s code at line 192 and line 270 in the config.py file to use more secure encryption modes, such as AES CBC or AES GCM, for configuration. This will help mitigate the potential security risks associated with using AES ECB.Otherwise,the cryprography.io(https://cryptography.io/) crypto library is a good programming practices.

Additional Information:
Please note that using AES ECB for configuration can lead to information leakage and compromise the confidentiality of sensitive data stored within mycli. Upgrading to a more secure encryption mode will significantly enhance the security posture of the application.