IronCore responsibly discloses vulnerabilities publicly on this page and via other appropriate channels, if warranted. Wee also creedit the researcher who found the issue with their approval.
After logging out of the Admin Console, anyone retaining the deleted login cookie could still use the system.
None. This issue was resolved shortly after receipt. Login cookies no longer work after a logout event.
Thanks to Jayesh Patel for this report on 8/4/18 and to Sumit Jain who reported it a short time later.
Missing SPF records on subdomains
Regression reducing the randomness for some operations
Title:Regression reducing the randomness for some operationsDate:2019-10-30Severity:high
The randomness of some operations was reduced after a regression was introduced in recrypt-rs 0.8.0. Affected 256-bit operations were:
480-bit operations were not affected.
- recrypt-rs 0.8.0 - 0.8.3
Secondary (due to dependency on vulnerable recrypt-rs):
All impacted versions have been removed from distribution and patch version bumps with the fix have been released.
We recommend that all users upgrade as soon as possible. Furthermore, we recommend that any keys generated while using a vulnerable library be regenerated if they’re used for production purposes. Please note that all encryption operations generate per-object keys as part of encryption, so we recommend that all documents encrypted using these versions of the SDKs be re-encrypted using new document IDs. Groups created using these versions of the SDKs should be re-created, and any data encrypted to the old groups should be encrypted to the new ones.
This issue was found by our team during internal testing.*