关键漏洞信息 标题: coze-dev coze-studio <0.2.4 Cryptographic Issues 描述: AES misuse in coze-studio plugin system enables deterministic encryption and key disclosure. 摘要: - The coze-studio plugin system implements AES-CBC with hard-coded ASCII keys and a fixed, predictable IV derived from the key. This violates established cryptographic guidance and maps to CWE-321 (hard-coded key) and CWE-329 (predictable IV for CBC). As a result, identical plaintexts encrypt to identical ciphertexts across sessions, enabling dictionary and pattern-matching attacks; anyone with source access can decrypt historical data. 受影响组件: - Plugin encryption helper (Go): constructs , where is the key bytes; constants such as , , and are embedded in code. 技术细节: - Hard-coded encryption keys permit offline decryption and cross-environment key reuse (CWE-321). - CBC mode IV equals the first block of the key ( ), so the IV is fixed and predictable (CWE-329). NIST SP 800-38A requires CBC IVs to be unpredictable/unique; deriving the IV from the key violates this requirement. - No authentication tag/MAC is applied, leaving ciphertext malleable and enabling pattern leakage typical of "Cryptographic Failures." 影响: - Confidentiality of plugin data is compromised; identical inputs are linkable, and any party obtaining the source (or leaked key constants) can decrypt stored values. Multi-tenant or forked deployments may share the same keys, amplifying exposure.