PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5999 Syspass CVE debrief

CVE-2017-5999 is a cryptographic implementation issue in sysPass 2.x before 2.1. The vulnerable code in inc/SP/Core/Crypt.class used MCRYPT_RIJNDAEL_256, which is the 256-bit block version of Rijndael rather than AES, instead of MCRYPT_RIJNDAEL_128. NVD rates the issue as HIGH (CVSS 7.5) with network access, no privileges, and no user interaction required, and the confidentiality impact is high.

Vendor
Syspass
Product
CVE-2017-5999
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-06
Original CVE updated
2026-05-13
Advisory published
2017-03-06
Advisory updated
2026-05-13

Who should care

Administrators and security teams running sysPass 2.x, especially any deployment still on versions before 2.1. Teams responsible for credential storage, secrets management, or password vaulting should treat this as important because the flaw affects the cryptographic handling of protected data.

Technical summary

NVD identifies this as CWE-326 (Inadequate Encryption Strength). The described problem is not a generic AES weakness; it is the use of Rijndael-256 block mode where AES-compatible Rijndael-128 should have been used. The vulnerability is associated with sysPass 2.x before 2.1, and the linked fix is referenced by a GitHub commit and the 2.1.0.17022601 release tag. NVD’s CVSS v3 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Defensive priority

High

Recommended defensive actions

  • Upgrade sysPass to version 2.1 or later; the linked release notes and patch reference identify the fixed line of development.
  • Inventory all sysPass deployments and confirm whether any instance is on 2.0 or another pre-2.1 build.
  • Review any data that may have been protected by the affected encryption path and assess whether additional compensating controls are needed.
  • Verify the deployed package matches the patched release and that the vulnerable Crypt.class implementation is no longer present.
  • Monitor vendor and NVD records for any clarifications to the affected version scope, since the original description says 2.x before 2.1 while the NVD CPE entry specifically names 2.0.

Evidence notes

Based only on the supplied official NVD record and the referenced vendor/project links. NVD marks the CVE as modified on 2026-05-13 and lists CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N with CWE-326. The provided references include a GitHub patch commit and the 2.1.0.17022601 release tag, which support remediation guidance. The version scope in the source corpus is slightly mixed: the textual description says sysPass 2.x before 2.1, while the NVD CPE criteria explicitly enumerate syspass 2.0.

Official resources

CVE published: 2017-03-06T06:59:00.287Z. Source and CVE modified timestamp: 2026-05-13T00:24:29.033Z. The supplied corpus does not indicate KEV inclusion or ransomware association.