Code injection

jose is an npm library providing a number of cryptographic operations. In vulnerable versions AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. A...

CVE-2021-29443 Padding Oracle Attack due to Observable Timing Discrepancy in jose

jose is an npm library providing a number of cryptographic operations. In vulnerable versions AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. A...

jose-node-cjs-runtime 安全漏洞

npm jose-node-cjs-runtime is an application from the American company npm. Provides distributions of jose with smaller bundle/installation sizes. A security vulnerability exists in jose-node-cjs-runtime in versions prior to 3.11.4, which stems from the possibility of a significant difference in t...

jose-node-esm-runtime 安全漏洞

npm jose-node-esm-runtime is an application from npm, Inc. json web almost everything uses the Node.jscrypto module for JWA, JWS, JWE, JWT, JWK with no dependencies. jose-node-esm-runtime is a security vulnerability in jose-node-esm-runtime prior to version 3.11.4 that arises from a significant...

jose-browser-runtime 安全漏洞

npm jose-browser-runtime is an application from the US company npm. Generic " JSON Web almost everything " - JWA, JWS, JWE, JWT, JWK using native encryption runtime without dependencies. A security vulnerability exists in jose-browser-runtime, which stems from the possibility of a noticeable time...

jose 安全漏洞

npm jose is an application from the U.S. company npm. Use native encryption runtime does not depend on the item JWA, JWS, JWE, JWT, JWK. A security vulnerability exists in npm jose that stems from a possible timing difference when a padding error occurs while decrypting a ciphertext. No detailed...

GO-2020-0010 Elliptic curve key disclosure in github.com/square/go-jose

When using ECDH-ES an attacker can mount an invalid curve attack during decryption as the supplied public key is not checked to be on the same curve as the receivers private key...

Mozilla: Logic issue potentially leaves key material unlocked

Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. This vulnerability affects Thunderbird 78.8.1...

m2crypto: bleichenbacher timing attacks in the RSA decryption API

A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality...

Huawei EulerOS: Security Advisory for openssl (EulerOS-SA-2021-1721)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2020-4965

IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192422...

CVE-2020-4965

IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192422...

CVE-2020-4965

CVE-2020-4965 affects IBM Jazz Team Server / Jazz Foundation (IBM Engineering Lifecycle Management). The vulnerability stems from weaker-than-expected cryptographic algorithms that could allow decrypting highly sensitive information. Public scoring varies: CVSSv3.1 base 7.5 (Network, High impact ...

IBM Jazz Team Server 加密问题漏洞

IBM Jazz Team Server is an application server from IBM USA. Provides base services that enable a group of tools to work together as a single logical server and includes any number of Jazz Team Server Extensions that provide tool-specific functionality. A security vulnerability exists in IBM Jazz...

Exposure of Resource to Wrong Sphere and Insecure Temporary File in Ansible

A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchiv...

Ovarro Tbox Information Disclosure Vulnerability

Ovarro Tbox is an application platform from Ovarro Germany. It offers new automation possibilities, simplifies system engineering and enables key industries worldwide to remotely control and monitor their applications. A security vulnerability exists in the Ovarro Tbox product, which can be...

Ziggy Ransomware Gang Offers Refunds to Victims

The Ziggy ransomware gang announced in early February they were getting out of the cybercrime business. Now they say they’re ready to refund their victims’ money. Anyone who paid a ransom to Ziggy just needs to shoot them an email with proof of payment calculated in Bitcoin and the computer ID...

CVE-2021-21412

Potential for arbitrary code execution in npm package @thi.ng/egf gpg-tagged property values only if decrypt: true option is enabled. PR with patch has been submitted and will has been released as of v0.4.0 By default the EGF parse functions do NOT attempt to decrypt values since GPG only availab...

Design/Logic Flaw

A flaw was found in libtpms in versions before 0.8.2. The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV initialization vector when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the calle...

CVE-2021-3446

A flaw was found in libtpms in versions before 0.8.2. The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV initialization vector when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the calle...