Versions of the package cocoon before 0.4.0 are vulnerable to Reusing a Nonce, Key Pair in Encryption when the encrypt, wrap, and dump functions are sequentially called. An attacker can generate the same ciphertext by creating a new encrypted message with the same cocoon object.
Note: The issue does NOT affect objects created with Cocoon::new which utilizes ThreadRng.
{ "nvd_published_at": "2024-10-02T05:15:11Z", "cwe_ids": [ "CWE-323" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-10-02T17:57:49Z" }