Headline
GHSA-67fj-6w6m-w5j8: Reversible One-Way Hash in io.github.javaezlib:JavaEZ
Impact
This weakness allows the force decryption of locked text by hackers. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. Upgrading to 1.7 is advised.
Patches
The vulnerability has been patched in release 1.7.
Workarounds
Currently there is no way to fix the issue without upgrading.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in our issue tracker
- Email us at [email protected]
Package
maven io.github.javaezlib:JavaEZ (Maven )
Affected versions
= 1.6
Patched versions
1.7
Description
Impact
This weakness allows the force decryption of locked text by hackers. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. Upgrading to 1.7 is advised.
Patches
The vulnerability has been patched in release 1.7.
Workarounds
Currently there is no way to fix the issue without upgrading.
References
CWE-327
CWE-328
For more information
If you have any questions or comments about this advisory:
- Open an issue in our issue tracker
- Email us at [email protected]
References
- GHSA-67fj-6w6m-w5j8
- https://nvd.nist.gov/vuln/detail/CVE-2022-29249
- https://github.com/JavaEZLib/JavaEZ/releases/tag/1.7
JavaEZLib published the maintainer security advisory
May 22, 2022
Severity
High
7.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses
CWE-327 CWE-328
CVE ID
CVE-2022-29249
GHSA ID
GHSA-67fj-6w6m-w5j8
Source code
JavaEZLib/JavaEZ
Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.
Related news
JavaEZ is a library that adds new functions to make Java easier. A weakness in JavaEZ 1.6 allows force decryption of locked text by unauthorized actors. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. The vulnerability has been patched in release 1.7. Currently, there is no way to fix the issue without upgrading.