Total
384 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-4610 | 1 Clickstudios | 1 Passwordstate | 2023-12-10 | N/A | 5.5 MEDIUM |
A vulnerability, which was classified as problematic, has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. Affected by this issue is some unknown functionality. The manipulation leads to risky cryptographic algorithm. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-216272. | |||||
CVE-2022-2781 | 1 Octopus | 1 Octopus Server | 2023-12-10 | N/A | 5.3 MEDIUM |
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. | |||||
CVE-2022-34632 | 1 Linuxfoundation | 1 Rocket Chip Generator | 2023-12-10 | N/A | 9.1 CRITICAL |
Rocket-Chip commit 4f8114374d8824dfdec03f576a8cd68bebce4e56 was discovered to contain insufficient cryptography via the component /rocket/RocketCore.scala. | |||||
CVE-2022-34757 | 1 Schneider-electric | 2 Easergy P5, Easergy P5 Firmware | 2023-12-10 | N/A | 5.3 MEDIUM |
A CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists where weak cipher suites can be used for the SSH connection between Easergy Pro software and the device, which may allow an attacker to observe protected communication details. Affected Products: Easergy P5 (V01.401.102 and prior) | |||||
CVE-2022-34320 | 1 Ibm | 1 Cics Tx | 2023-12-10 | N/A | 7.5 HIGH |
IBM CICS TX 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 229464. | |||||
CVE-2022-34319 | 1 Ibm | 1 Cics Tx | 2023-12-10 | N/A | 7.5 HIGH |
IBM CICS TX 11.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 229463. | |||||
CVE-2022-38493 | 1 Rhonabwy Project | 1 Rhonabwy | 2023-12-10 | N/A | 7.5 HIGH |
Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE (JSON Web Encryption) token. | |||||
CVE-2022-35513 | 1 Blink1 | 1 Blink1control2 | 2023-12-10 | N/A | 7.5 HIGH |
The Blink1Control2 application <= 2.2.7 uses weak password encryption and an insecure method of storage. | |||||
CVE-2022-30187 | 1 Microsoft | 2 Azure Storage Blobs, Azure Storage Queue | 2023-12-10 | 1.9 LOW | 4.7 MEDIUM |
Azure Storage Library Information Disclosure Vulnerability | |||||
CVE-2022-29965 | 1 Emerson | 49 Deltav Distributed Control System, Deltav Distributed Control System Sq Controller, Deltav Distributed Control System Sq Controller Firmware and 46 more | 2023-12-10 | N/A | 5.5 MEDIUM |
The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. Access to privileged operations on the maintenance port TELNET interface (23/TCP) on M-series and SIS (CSLS/LSNB/LSNG) nodes is controlled by means of utility passwords. These passwords are generated using a deterministic, insecure algorithm using a single seed value composed of a day/hour/minute timestamp with less than 16 bits of entropy. The seed value is fed through a lookup table and a series of permutation operations resulting in three different four-character passwords corresponding to different privilege levels. An attacker can easily reconstruct these passwords and thus gain access to privileged maintenance operations. NOTE: this is different from CVE-2014-2350. | |||||
CVE-2022-39237 | 1 Sylabs | 1 Singularity Image Format | 2023-12-10 | N/A | 9.8 CRITICAL |
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure. | |||||
CVE-2022-2097 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Active Iq Unified Manager and 12 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p). | |||||
CVE-2022-45195 | 1 Simplex | 2 Simplex Chat, Simplexmq | 2023-12-10 | N/A | 5.3 MEDIUM |
SimpleXMQ before 3.4.0, as used in SimpleX Chat before 4.2, does not apply a key derivation function to intended data, which can interfere with forward secrecy and can have other impacts if there is a compromise of a single private key. This occurs in the X3DH key exchange for the double ratchet protocol. | |||||
CVE-2021-27784 | 1 Hcltech | 1 Hcl Launch Container Image | 2023-12-10 | N/A | 7.5 HIGH |
The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages. | |||||
CVE-2022-1434 | 2 Netapp, Openssl | 43 A250, A250 Firmware, A700s and 40 more | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). | |||||
CVE-2021-39082 | 1 Ibm | 1 Urbancode Deploy | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
IBM UrbanCode Deploy (UCD) 7.1.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | |||||
CVE-2022-20117 | 1 Google | 1 Android | 2023-12-10 | 2.1 LOW | 5.5 MEDIUM |
In (TBD) of (TBD), there is a possible way to decrypt local data encrypted by the GSC due to improperly used crypto. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-217475903References: N/A | |||||
CVE-2021-33018 | 1 Philips | 4 Myvue, Speech, Vue Motion and 1 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The use of a broken or risky cryptographic algorithm in Philips Vue PACS versions 12.2.x.x and prior is an unnecessary risk that may result in the exposure of sensitive information. | |||||
CVE-2022-29217 | 2 Fedoraproject, Pyjwt Project | 2 Fedora, Pyjwt | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding. | |||||
CVE-2022-1252 | 1 Gnuboard | 1 Gnuboard5 | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
Use of a Broken or Risky Cryptographic Algorithm in GitHub repository gnuboard/gnuboard5 prior to and including 5.5.5. A vulnerability in gnuboard v5.5.5 and below uses weak encryption algorithms leading to sensitive information exposure. This allows an attacker to derive the email address of any user, including when the 'Let others see my information.' box is ticked off. Or to send emails to any email address, with full control of its contents |