Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918430 (CVE-2023-44690)

Summary: dev-db/mycli: inadequate encryption of configuration
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: trivial CC: parona, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/dbcli/mycli/issues/1131
Whiteboard: ~4 [upstream]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-24 20:57:53 UTC
CVE-2023-44690:

Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py
Comment 1 Alfred Wingate 2023-12-15 21:11:21 UTC
Issue closed by author.

https://github.com/dbcli/mycli/issues/1131#issuecomment-1849023748
"""
This CVE does appear to be a false positive. I'd recommend that a project maintainer contact the CVE program to dispute this CVE.

    Contact form: https://cveform.mitre.org/
    Select a request type "Request an update to an existing CVE Entry."
    Type of update requested: "Rejection"
    Fill out CVE ID + Rationale

As @terjeros pointed out, MySQL uses AES ECB for this specific purpose, and this library is compatible with MySQL.

@gxx777 - I'd recommend contacting the MySQL server project to discuss the use of AES ECB by the MySQL Configuration Utility to determine if it should be considered a vulnerability!
"""
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 01:27:15 UTC
Thanks! Invalid for us then.