CVE-2024-21530

MEDIUM

cocoon < 0.4.0 - Reusing a Nonce, Key Pair in Encryption via Sequential Function Calls

Title source: llm
STIX 2.1

Description

Versions of the package cocoon before 0.4.0 are vulnerable to Reusing a Nonce, Key Pair in Encryption when the encrypt, wrap, and dump functions are sequentially called. An attacker can generate the same ciphertext by creating a new encrypted message with the same cocoon object. **Note:** The issue does NOT affect objects created with Cocoon::new which utilizes ThreadRng.

Scores

CVSS v3 4.5
EPSS 0.0014
EPSS Percentile 3.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-323
Status published
Products (2)
crates.io/cocoon 0 - 0.4.0crates.io
n/a/cocoon < 0.4.0
Published Oct 02, 2024
Tracked Since Feb 18, 2026