451 matches found
Authentication flaw
modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and...
CVE-2021-32791
mod_auth_openidc is an Apache 2.x authentication module that, before version 2.4.9, used a static IV and AAD for AES-GCM encryption, causing nonce reuse and potential cryptographic issues. The issue is fixed in 2.4.9 and later by using dynamic IV/AAD values via cjose AES routines. Affected system...
CVE-2021-32791 Hardcoded static IV and AAD with a reused key in AES GCM encryption in mod_auth_openidc
modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and...
CVE-2021-32791
modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and...
GHSA-55XH-53M6-936R Improper Verification of Cryptographic Signature in aws-encryption-sdk-java
Impact This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This update addresses an issue where certain invalid ECDSA signatures incorrectly passed validation. These signatures provide defense in depth...
Improper Verification of Cryptographic Signature in aws-encryption-sdk-java
Impact This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This update addresses an issue where certain invalid ECDSA signatures incorrectly passed validation. These signatures provide defense in depth...
OpenSSH 6.2 <= 6.3 Permissions, Privileges, and Access Controls Vulnerability
A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher [email protected] or [email protected] is selected during kex exchange. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, a...
GHSA-W3HJ-WR2Q-X83G Discovery uses the same AES/GCM Nonce throughout the session
Discovery uses the same AES/GCM Nonce throughout the session though it should be generated on per message basis which can lead to the leaking of the session key. As the actual ENR record is signed with a different key it is not possible for an attacker to alter the ENR record. Note that the node...
Discovery uses the same AES/GCM Nonce throughout the session
Discovery uses the same AES/GCM Nonce throughout the session though it should be generated on per message basis which can lead to the leaking of the session key. As the actual ENR record is signed with a different key it is not possible for an attacker to alter the ENR record. Note that the node...
RUSTSEC-2021-0062 project abandoned; migrate to the `aes-siv` crate
The Miscreant project has been abandoned and archived. The Rust implementation has been adapted into the new aes-siv crate which implements both the AES-CMAC-SIV and AES-PMAC-SIV constructions: Please migrate to the aes-siv crate. Alternatively see the aes-gcm-siv crate for a newer, faster...
project abandoned; migrate to the `aes-siv` crate
The Miscreant project has been abandoned and archived. The Rust implementation has been adapted into the new aes-siv crate which implements both the AES-CMAC-SIV and AES-PMAC-SIV constructions: Please migrate to the aes-siv crate. Alternatively see the aes-gcm-siv crate for a newer, faster...
Exploit for Command Injection in Rubyonrails Rails
CVE-2019-5420 Ruby-on-Rails offers three different environmen...
Valvesoftware GameNetworkingSockets Buffer Error Vulnerability
Valvesoftware GameNetworkingSockets is a transport layer support software for games to pass data from Valvesoftware USA. A security vulnerability exists in Valve Game Networking Sockets versions prior to 1.2.0, which stems from the incorrect handling of long encrypted messages in...
In-band Protocol Negotiation And Robustness Weakness
aws-encryption-sdk suffers from an In-band protocol negotiation and robustness weakness. The SDK allows a unique ciphertext to be decrypted into different results due to the non-committing property of AES-GCM, and other AEAD ciphers such as AES-GCM-SIV, or XChaCha20Poly1305, when encrypting...
CVE-2020-8897
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM and other AEAD ciphers such as AES-GCM-SIV or XChaCha20Poly1305 used by the SDKs to encrypt messages, an attacker can craft a...
CVE-2020-8897
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM and other AEAD ciphers such as AES-GCM-SIV or XChaCha20Poly1305 used by the SDKs to encrypt messages, an attacker can craft a...
Design/Logic Flaw
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM and other AEAD ciphers such as AES-GCM-SIV or XChaCha20Poly1305 used by the SDKs to encrypt messages, an attacker can craft a...
PYSEC-2020-261
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM and other AEAD ciphers such as AES-GCM-SIV or XChaCha20Poly1305 used by the SDKs to encrypt messages, an attacker can craft a...
CVE-2020-8897
CVE-2020-8897 : A weak robustness vulnerability affects the AWS Encryption SDKs for Java, Python, C and Javalcript prior to 2.0.0. The non-committing property of AES-GCM (and related AEAD ciphers) can let an attacker craft a unique ciphertext that decrypts to multiple different results, which is ...
CVE-2020-8897 Robustness weakness in AWS KMS and Encryption SDKs
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM and other AEAD ciphers such as AES-GCM-SIV or XChaCha20Poly1305 used by the SDKs to encrypt messages, an attacker can craft a...