Lucene search
+L

451 matches found

Prion
Prion
added 2021/07/26 5:15 p.m.31 views

Authentication flaw

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and...

4.3CVSS6AI score0.01503EPSS
Exploits0References7Affected Software2
CVE
CVE
added 2021/07/26 12:0 a.m.317 views

CVE-2021-32791

mod_auth_openidc is an Apache 2.x authentication module that, before version 2.4.9, used a static IV and AAD for AES-GCM encryption, causing nonce reuse and potential cryptographic issues. The issue is fixed in 2.4.9 and later by using dynamic IV/AAD values via cjose AES routines. Affected system...

5.9CVSS6AI score0.01503EPSS
Exploits0References7Affected Software1
Cvelist
Cvelist
added 2021/07/26 12:0 a.m.47 views

CVE-2021-32791 Hardcoded static IV and AAD with a reused key in AES GCM encryption in mod_auth_openidc

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and...

5.9CVSS6.4AI score0.01503EPSS
Exploits0References7
Debian CVE
Debian CVE
added 2021/07/26 12:0 a.m.55 views

CVE-2021-32791

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and...

5.9CVSS6.1AI score0.01503EPSS
Exploits0
OSV
OSV
added 2021/06/01 9:17 p.m.20 views

GHSA-55XH-53M6-936R Improper Verification of Cryptographic Signature in aws-encryption-sdk-java

Impact This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This update addresses an issue where certain invalid ECDSA signatures incorrectly passed validation. These signatures provide defense in depth...

6.9CVSS5.9AI score0.0021EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2021/06/01 9:17 p.m.46 views

Improper Verification of Cryptographic Signature in aws-encryption-sdk-java

Impact This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This update addresses an issue where certain invalid ECDSA signatures incorrectly passed validation. These signatures provide defense in depth...

5.3CVSS5.7AI score0.0021EPSS
Exploits0References4Affected Software1
OpenVAS
OpenVAS
added 2021/05/27 12:0 a.m.19 views

OpenSSH 6.2 <= 6.3 Permissions, Privileges, and Access Controls Vulnerability

A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher [email protected] or [email protected] is selected during kex exchange. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, a...

6CVSS6.7AI score0.0267EPSS
Exploits1References1
OSV
OSV
added 2021/04/06 5:22 p.m.16 views

GHSA-W3HJ-WR2Q-X83G Discovery uses the same AES/GCM Nonce throughout the session

Discovery uses the same AES/GCM Nonce throughout the session though it should be generated on per message basis which can lead to the leaking of the session key. As the actual ENR record is signed with a different key it is not possible for an attacker to alter the ENR record. Note that the node...

5.3CVSS5.2AI score0.00489EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2021/04/06 5:22 p.m.43 views

Discovery uses the same AES/GCM Nonce throughout the session

Discovery uses the same AES/GCM Nonce throughout the session though it should be generated on per message basis which can lead to the leaking of the session key. As the actual ENR record is signed with a different key it is not possible for an attacker to alter the ENR record. Note that the node...

5.3CVSS1.4AI score0.00489EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2021/02/28 12:0 p.m.18 views

RUSTSEC-2021-0062 project abandoned; migrate to the `aes-siv` crate

The Miscreant project has been abandoned and archived. The Rust implementation has been adapted into the new aes-siv crate which implements both the AES-CMAC-SIV and AES-PMAC-SIV constructions: Please migrate to the aes-siv crate. Alternatively see the aes-gcm-siv crate for a newer, faster...

7.1AI score
Exploits0References3
RustSec
RustSec
added 2021/02/28 12:0 p.m.19 views

project abandoned; migrate to the `aes-siv` crate

The Miscreant project has been abandoned and archived. The Rust implementation has been adapted into the new aes-siv crate which implements both the AES-CMAC-SIV and AES-PMAC-SIV constructions: Please migrate to the aes-siv crate. Alternatively see the aes-gcm-siv crate for a newer, faster...

0.6AI score
Exploits0
GithubExploit
GithubExploit
added 2021/01/20 3:6 p.m.142 views

Exploit for Command Injection in Rubyonrails Rails

CVE-2019-5420 Ruby-on-Rails offers three different environmen...

9.8CVSS8.3AI score0.92144EPSS
Exploits13
CNNVD
CNNVD
added 2020/12/01 12:0 a.m.10 views

Valvesoftware GameNetworkingSockets Buffer Error Vulnerability

Valvesoftware GameNetworkingSockets is a transport layer support software for games to pass data from Valvesoftware USA. A security vulnerability exists in Valve Game Networking Sockets versions prior to 1.2.0, which stems from the incorrect handling of long encrypted messages in...

9.8CVSS7.9AI score0.031EPSS
Exploits1References3
Veracode
Veracode
added 2020/11/17 1:12 a.m.22 views

In-band Protocol Negotiation And Robustness Weakness

aws-encryption-sdk suffers from an In-band protocol negotiation and robustness weakness. The SDK allows a unique ciphertext to be decrypted into different results due to the non-committing property of AES-GCM, and other AEAD ciphers such as AES-GCM-SIV, or XChaCha20Poly1305, when encrypting...

8.1CVSS4.2AI score0.00394EPSS
Exploits1References3Affected Software3
NVD
NVD
added 2020/11/16 12:15 p.m.42 views

CVE-2020-8897

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM and other AEAD ciphers such as AES-GCM-SIV or XChaCha20Poly1305 used by the SDKs to encrypt messages, an attacker can craft a...

8.1CVSS5.9AI score0.00394EPSS
Exploits1References2
OSV
OSV
added 2020/11/16 12:15 p.m.17 views

CVE-2020-8897

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM and other AEAD ciphers such as AES-GCM-SIV or XChaCha20Poly1305 used by the SDKs to encrypt messages, an attacker can craft a...

8.1CVSS7AI score
Exploits0References2
Prion
Prion
added 2020/11/16 12:15 p.m.22 views

Design/Logic Flaw

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM and other AEAD ciphers such as AES-GCM-SIV or XChaCha20Poly1305 used by the SDKs to encrypt messages, an attacker can craft a...

5.5CVSS7.9AI score0.00394EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2020/11/16 12:15 p.m.38 views

PYSEC-2020-261

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM and other AEAD ciphers such as AES-GCM-SIV or XChaCha20Poly1305 used by the SDKs to encrypt messages, an attacker can craft a...

8.1CVSS3.1AI score0.00394EPSS
Exploits1References2
CVE
CVE
added 2020/11/16 11:55 a.m.109 views

CVE-2020-8897

CVE-2020-8897 : A weak robustness vulnerability affects the AWS Encryption SDKs for Java, Python, C and Javalcript prior to 2.0.0. The non-committing property of AES-GCM (and related AEAD ciphers) can let an attacker craft a unique ciphertext that decrypts to multiple different results, which is ...

8.1CVSS6.2AI score0.00394EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2020/11/16 11:55 a.m.41 views

CVE-2020-8897 Robustness weakness in AWS KMS and Encryption SDKs

A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM and other AEAD ciphers such as AES-GCM-SIV or XChaCha20Poly1305 used by the SDKs to encrypt messages, an attacker can craft a...

4.8CVSS8AI score0.00394EPSS
Exploits1References2
Rows per page
Query Builder