25410 matches found
Use of Hard-coded Cryptographic Key
Overview org.apache.syncope.core:syncope-core-provisioning-java is an Open Source system for managing digital identities in enterprise environments, implemented in Java EE technology and released under Apache 2.0 license. Affected versions of this package are vulnerable to Use of Hard-coded...
CVE-2025-65998
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...
CVE-2025-65998
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...
CVE-2025-65998 Apache Syncope: Default AES key used for internal password encryption
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...
CVE-2025-65998
CVE-2025-65998 affects Apache Syncope where storing user passwords in the internal database with AES can expose cleartext passwords if the AES key is hard-coded in the source. The issue occurs when the AES option is enabled; the default key value is always used, enabling an attacker with internal...
CVE-2025-65998 Apache Syncope: Default AES key used for internal password encryption
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained...
Apache Syncope 安全漏洞
Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration and more. Apache Syncope has a trust management issue vulnerability that stems from...
PT-2025-47918
Name of the Vulnerable Software and Affected Versions Apache Syncope versions prior to 3.0.15 Apache Syncope versions prior to 4.0.3 Description Apache Syncope, when configured to use AES encryption for storing user passwords in its internal database, utilizes a hard-coded default key. This allow...
IBM Concert 加密问题漏洞
IBM Concert is a generative artificial intelligence-driven automated application management and monitoring tool based on the watsonx platform released in May 2024 by IBM. IBM Concert suffers from a cryptographic issue vulnerability that stems from the use of weak encryption algorithms, which can ...
SUSE CVE-2025-13470
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key PKESK packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release...
Linux Distros Unpatched Vulnerability : CVE-2025-13470
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key PKESK packets to be left uninitialized...
CVE-2025-64767 hpke-js reuses AEAD nonces
hpke-js is a Hybrid Public Key Encryption HPKE module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal calls. This can lead to complete loss of Confidentiality...
DEBIAN-CVE-2025-13470
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key PKESK packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release...
CVE-2025-13470
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key PKESK packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release...
CVE-2025-13470
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key PKESK packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release...
CVE-2025-13470
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key PKESK packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release...
UBUNTU-CVE-2025-13470
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key PKESK packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release...
EUVD-2025-198494
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key PKESK packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release...
CVE-2025-13470
CVE-2025-13470 affects RNP prior to 0.18.1, where a refactoring regression left the symmetric session key for PKESK packets uninitialized beyond zeroing. The result is an all-zero session key for PKESK, allowing data encrypted with public-key encryption to be decrypted trivially, compromising con...
CVE-2025-13470 RNP 0.18.0 Vulnerable PKESK session keys
In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key PKESK packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release...