{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T14:15:52.373","vulnerabilities":[{"cve":{"id":"CVE-2021-41278","sourceIdentifier":"security-advisories@github.com","published":"2021-11-19T00:15:08.017","lastModified":"2024-11-21T06:25:57.203","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. In affected versions broken encryption in app-functions-sdk “AES” transform in EdgeX Foundry releases prior to Jakarta allows attackers to decrypt messages via unspecified vectors. The app-functions-sdk exports an “aes” transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may expects due to a broken implementation. Version v2.1.0 (EdgeX Foundry Jakarta release and later) of app-functions-sdk-go/v2 deprecates the “aes” transform and provides an improved “aes256” transform in its place. The broken implementation will remain in a deprecated state until it is removed in the next EdgeX major release to avoid breakage of existing software that depends on the broken implementation. As the broken transform is a library function that is not invoked by default, users who do not use the AES transform in their processing pipelines are unaffected. Those that are affected are urged to upgrade to the Jakarta EdgeX release and modify processing pipelines to use the new \"aes256\" transform."},{"lang":"es","value":"El SDK de funciones para EdgeX está destinado a proporcionar toda la fontanería necesaria para que los desarrolladores se inicien en el procesamiento/transformación/exportación de datos de la plataforma EdgeX IoT. En las versiones afectadas, un cifrado roto en la transformación \"AES\" de app-functions-sdk en las versiones de EdgeX Foundry anteriores a Jakarta permite a atacantes descifrar mensajes por medio de vectores no especificados. El app-functions-sdk exporta una transformación \"aes\" a la que los scripts de usuario pueden llamar opcionalmente para cifrar datos en la cadena de procesamiento. No es proporcionada ninguna función de descifrado. El cifrado no está habilitado por defecto, pero si es usado, el nivel de protección puede ser menor de lo que el usuario espera debido a una implementación rota. La versión v2.1.0 (versión EdgeX Foundry Jakarta y posteriores) de app-functions-sdk-go/v2 deja de lado la transformación \"aes\" y proporciona una transformación \"aes256\" mejorada en su lugar. La implementación rota permanecerá en un estado obsoleto hasta que sea eliminada en la próxima versión mayor de EdgeX para evitar la ruptura del software existente que depende de la implementación rota. Como la transformación rota es una función de biblioteca que no es invocada por defecto, los usuarios que no usan la transformación AES en sus procesos no están afectados. Se insta a los afectados a que actualicen a la versión de Jakarta EdgeX y a que modifiquen las cadenas de procesamiento para usar la nueva transformación \"aes256\""}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":3.6}],"cvssMetricV30":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":4.2}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:P/I:N/A:N","baseScore":2.6,"accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":4.9,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-327"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:edgexfoundry:app_service_configurable:*:*:*:*:*:go:*:*","versionEndExcluding":"2.1.0","matchCriteriaId":"FD2737A1-BEFF-435D-A67E-332A028428D0"},{"vulnerable":true,"criteria":"cpe:2.3:a:edgexfoundry:application_functions_software_development_kit:*:*:*:*:*:go:*:*","versionEndExcluding":"2.1.0","matchCriteriaId":"61A41CE4-667B-4542-9DCE-8AE74C833E1A"},{"vulnerable":true,"criteria":"cpe:2.3:a:edgexfoundry:edgex_foundry:*:*:*:*:*:*:*:*","versionEndExcluding":"2.1.0","matchCriteriaId":"074E346B-F4CD-4D04-B061-8F250D349CAA"}]}]}],"references":[{"url":"https://github.com/edgexfoundry/app-functions-sdk-go/commit/8fa13c6388ce76a6b878b54490eac61aa7d81165","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/edgexfoundry/app-functions-sdk-go/security/advisories/GHSA-6c7m-qwxj-mvhp","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/edgexfoundry/app-functions-sdk-go/commit/8fa13c6388ce76a6b878b54490eac61aa7d81165","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/edgexfoundry/app-functions-sdk-go/security/advisories/GHSA-6c7m-qwxj-mvhp","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}