Vulnerability Details : CVE-2022-29249
JavaEZ is a library that adds new functions to make Java easier. A weakness in JavaEZ 1.6 allows force decryption of locked text by unauthorized actors. The issue is NOT critical for non-secure applications, however may be critical in a situation where the highest levels of security are required. This issue ONLY affects v1.6 and does not affect anything pre-1.6. The vulnerability has been patched in release 1.7. Currently, there is no way to fix the issue without upgrading.
Products affected by CVE-2022-29249
- cpe:2.3:a:javaez_project:javaez:1.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29249
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29249
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-29249
-
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Assigned by: nvd@nist.gov (Primary)
-
The product uses a broken or risky cryptographic algorithm or protocol.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
-
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).Assigned by: security-advisories@github.com (Secondary)
References for CVE-2022-29249
-
https://github.com/JavaEZLib/JavaEZ/releases/tag/1.7
Release Release 1.7 - Security Patch · JavaEZLib/JavaEZ · GitHubRelease Notes;Third Party Advisory
-
https://github.com/JavaEZLib/JavaEZ/security/advisories/GHSA-67fj-6w6m-w5j8
Reversible One-Way Hash and Use of a Broken or Risky Cryptographic Algorithm in io.github.javaezlib.JavaEZ · Advisory · JavaEZLib/JavaEZ · GitHubThird Party Advisory
Jump to