Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918430 (CVE-2023-44690) - dev-db/mycli: inadequate encryption of configuration
Summary: dev-db/mycli: inadequate encryption of configuration
Status: RESOLVED INVALID
Alias: CVE-2023-44690
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/dbcli/mycli/issues...
Whiteboard: ~4 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-24 20:57 UTC by John Helmert III
Modified: 2024-01-07 01:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-24 20:57:53 UTC 
CVE-2023-44690:

Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py
Comment 1 Alfred Wingate 2023-12-15 21:11:21 UTC 
Issue closed by author.

https://github.com/dbcli/mycli/issues/1131#issuecomment-1849023748
"""
This CVE does appear to be a false positive. I'd recommend that a project maintainer contact the CVE program to dispute this CVE.

    Contact form: https://cveform.mitre.org/
    Select a request type "Request an update to an existing CVE Entry."
    Type of update requested: "Rejection"
    Fill out CVE ID + Rationale

As @terjeros pointed out, MySQL uses AES ECB for this specific purpose, and this library is compatible with MySQL.

@gxx777 - I'd recommend contacting the MySQL server project to discuss the use of AES ECB by the MySQL Configuration Utility to determine if it should be considered a vulnerability!
"""
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 01:27:15 UTC 
Thanks! Invalid for us then.