Home > Vulnerability Database > CVE-2022-35928

Mend.io Vulnerability Database

CVE-2022-35928

Date: August 3, 2022

AES Crypt is a file encryption software for multiple platforms. AES Crypt for Linux built using the source on GitHub and having the version number 3.11 has a vulnerability with respect to reading user-provided passwords and confirmations via command-line prompts. Passwords lengths were not checked before being read. This vulnerability may lead to buffer overruns. This does not affect source code found on aescrypt.com, nor is the vulnerability present when providing a password or a key via the "-p" or "-k" command-line options. The problem was fixed via in commit 68761851b and will be included in release 3.16. Users are advised to upgrade. Users unable to upgrade should us the "-p" or "-k" options to provide a password or key.

Language: C

Severity Score

8.4

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-35928

Url: https://github.com/paulej/AESCrypt/commit/68761851b595e96c68c3f46bfc21167e72c6a22c

Url: https://github.com/paulej/AESCrypt/security/advisories/GHSA-r7fv-72pg-fwrq

Url: https://www.mend.io/vulnerability-database/CVE-2022-35928

Severity Score

8.4

Weakness Type (CWE)

Improper Authentication

CWE-287

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

Improper Validation of Specified Quantity in Input

CWE-1284

CVSS v3.1

Base Score:	8.4
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-35928

Date: August 3, 2022

Language: C

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?