CVE-2024-36823
Published: 06 June 2024
Summary
CVE-2024-36823 is a high-severity Inadequate Encryption Strength (CWE-326) vulnerability in Ninjaframework Ninja. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-36823 affects the encrypt() function in Ninja Core version 7.0.0, which relies on a weak cryptographic algorithm and thereby exposes sensitive information to potential leakage. The issue is tracked under CWE-326 and CWE-327 and carries a CVSS 3.1 base score of 7.5 reflecting a network-accessible vector with low attack complexity and no required privileges or user interaction.
An unauthenticated remote attacker can invoke the vulnerable encrypt() routine to obtain high-confidentiality impact without affecting integrity or availability. The supplied references consist of GitHub issue trackers for the ninjaframework/ninja project, though they contain no explicit mitigation guidance or patch details in the available information.
EPSS values remain near 0.118 with only a negligible peak difference, indicating no material post-disclosure rise in exploitation probability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1989
Vulnerability details
The encrypt() function of Ninja Core v7.0.0 was discovered to use a weak cryptographic algorithm, leading to a possible leakage of sensitive information.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing education and sharing of recommended practices helps organizations identify and migrate away from broken or risky cryptographic algorithms.
Risk updates surface newly-broken or risky cryptographic algorithms as threat intelligence and computing advances evolve, enabling timely replacement.
Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength.
Flaw remediation replaces broken or risky cryptographic algorithms once safer implementations are released by vendors.
Contacts with security groups provide timely information on broken or risky cryptographic algorithms, reducing the likelihood of their selection and use.
Cross-organization threat feeds commonly include advances in cryptanalysis and active exploits against weak or broken algorithms, allowing organizations to deprecate them proactively.
Capital planning and funding allow selection and ongoing support of strong cryptographic algorithms rather than weak or broken ones.
Scanners flag use of broken or weak cryptographic algorithms via known-vulnerability databases.