{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2023-26154","title":"Title"},{"category":"description","text":"Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.\r\r**Note:**\r\rIn order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2023-26154","url":"https://www.suse.com/security/cve/CVE-2023-26154"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"}],"title":"SUSE CVE CVE-2023-26154","tracking":{"current_release_date":"2025-08-20T23:39:10Z","generator":{"date":"2025-08-20T23:39:10Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2023-26154","initial_release_date":"2025-08-20T23:39:10Z","revision_history":[{"date":"2025-08-20T23:39:10Z","number":"2","summary":"Current version"}],"status":"interim","version":"2"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20250818T190335-1.1","product":{"name":"govulncheck-vulndb-0.0.20250818T190335-1.1","product_id":"govulncheck-vulndb-0.0.20250818T190335-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20250818T190335-1.1?upstream=govulncheck-vulndb-0.0.20250818T190335-1.1.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20250818T190335-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1"},"product_reference":"govulncheck-vulndb-0.0.20250818T190335-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2023-26154","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2023-26154"}],"notes":[{"category":"general","text":"Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.\r\r**Note:**\r\rIn order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1"]},"references":[{"category":"external","summary":"CVE-2023-26154","url":"https://www.suse.com/security/cve/CVE-2023-26154"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1"]}],"scores":[{"cvss_v3":{"baseScore":5.9,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250818T190335-1.1"]}],"threats":[{"category":"impact","date":"2023-12-06T06:00:06Z","details":"moderate"}],"title":"CVE-2023-26154"}]}