Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-nynf-r4u1-u7fh
Vulnerability ID VCID-nynf-r4u1-u7fh
Aliases GHSA-h3m5-p59h-x88p
Summary openssl-encrypt has visible password in process list via --password CLI argument ### Summary Passwords passed via the `--password` / `-p` CLI argument in `openssl_encrypt/modules/crypt_cli_subparser.py` at **lines 150-154** are visible to any user on the system via `ps aux` or `/proc/[pid]/cmdline`. ### Affected Code ```python subparser.add_argument( "--password", "-p", help="Password (will prompt if not provided, or use CRYPT_PASSWORD environment variable)", ) ``` Similarly, `--keystore-password` exposes the keystore password. ### Impact On multi-user systems, any user can observe the encryption password by listing processes. The `CRYPT_PASSWORD` environment variable alternative is also visible via `/proc/[pid]/environ` (though with slightly restricted access). ### Recommended Fix - Document the security implications prominently - Recommend interactive prompting (already supported) as the secure default - Consider supporting password file descriptors (`--password-fd`) or reading from stdin - Consider marking the argument as deprecated in favor of interactive prompting ### Fix Fixed in commit `e78a366` on branch `releases/1.4.x` — added --password-file and --password-fd arguments; added OPENSSL_ENCRYPT_PASSWORD env var support; --password now emits deprecation warning.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-256 Plaintext Storage of a Password
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-h3m5-p59h-x88p
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt/commit/e78a3666e4592f3538adaaa6be8f5f04356174db
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt/commit/e78a3666e4592f3538adaaa6be8f5f04356174db
cvssv3.1_qr MODERATE https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-h3m5-p59h-x88p
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-h3m5-p59h-x88p
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-h3m5-p59h-x88p
Reference id Reference type URL
https://github.com/jahlives/openssl_encrypt
https://github.com/jahlives/openssl_encrypt/commit/e78a3666e4592f3538adaaa6be8f5f04356174db
https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-h3m5-p59h-x88p
GHSA-h3m5-p59h-x88p https://github.com/advisories/GHSA-h3m5-p59h-x88p
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt/commit/e78a3666e4592f3538adaaa6be8f5f04356174db
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-h3m5-p59h-x88p
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-12T07:49:40.566635+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-h3m5-p59h-x88p/GHSA-h3m5-p59h-x88p.json 38.6.0