Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
`libparsec_crypto` does not check for weak order point of curve 25519
Vulnerability Description
Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses `libparsec_crypto` with the libsodium backend). Version 3.6.0 of Parsec patches the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
使用已被攻破或存在风险的密码学算法
Vulnerability Title
parsec-cloud 安全漏洞
Vulnerability Description
parsec-cloud是Scille开源的一个文件共享工具。 parsec-cloud 3.6.0之前版本存在安全漏洞,该漏洞源于libparsec_crypto组件未检查Curve25519的弱阶点,可能导致中间人攻击。
CVSS Information
N/A
Vulnerability Type
N/A