HashiCorp Vault 加密问题漏洞

HashiCorp Vault is a private key access management tool from HashiCorp USA. A security vulnerability exists in HashiCorp Vault Enterprise that stems from the Vault not properly applying HMAC to messages sent from the HSM when using a CBC-based encryption mechanism...

SUSE CVE-2006-2223

RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly implement configurations that 1 disable RIPv1 or 2 require plaintext or MD5 authentication, which allows remote attackers to obtain sensitive information routing state via REQUEST packets such as SEND UPDATE...

SUSE CVE-2007-2294

The Manager Interface in Asterisk before 1.2.18 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service crash by using MD5 authentication to authenticate a user that does not have a password defined in manager.conf, resulting in a NULL pointer dereference...

SUSE CVE-2008-0960

SNMPv3 HMAC verification in 1 Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; 2 UCD-SNMP; 3 eCos; 4 Juniper Session and Resource Control SRC C-series 1.0.0 through 2.0.0; 5 NetApp aka Network Appliance Data ONTAP 7.3RC1 and 7.3RC2; 6 SNMP Research before 16.2; 7...

SUSE CVE-2009-0217

The design of the W3C XML Signature Syntax and Processing XMLDsig recommendation, as implemented in products including 1 the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; 2 the WebLogic Server component in BEA Product Suite 10.3, 10.0...

PYSEC-2023-1

Adyen has utility methods for validating notification HMAC signatures. The isvalidhmac and isvalidhmacnotification methods are vulnerable to a timing attack, you should compare the hash of the HMACs instead...

Malicious Package

Overview insomnia-plugin-simple-hmac-auth is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable ...

PT-2021-18221 · Unknown · Jose-Node-Cjs-Runtime

Name of the Vulnerable Software and Affected Versions: jose-node-cjs-runtime versions prior to 3.11.4 Description: The AES CBC HMAC SHA2 Algorithm decryption in the jose-node-cjs-runtime package has a timing difference when a padding error occurs, creating a padding oracle. This allows an adversa...

CVE-2021-27878

An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to ga...

jenkins: Non-constant time HMAC comparison

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC...

GHSA-FGMR-VX7C-5WJ6 Timing attack on HMAC signature comparison in Apache Tapestry

The code which checks HMAC in form submissions used String.equals for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison...

Apache Mesos Information Disclosure Vulnerability

Apache Mesos is the United States Apache Apache Software Foundation of a set of support for Hadoop, ElasticSearch and Spark and other application architecture of open source cluster management software. A security vulnerability exists in the comparison of the HMAC values generated in Apache Mesos...

UBUNTU-CVE-2018-10844

It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets...

Linux kernel buffer overflow vulnerability (CNVD-2017-37875)

Linux kernel is the kernel used by Linux, the open source operating system released by the Linux Foundation in the United States. A buffer overflow vulnerability exists in the HMAC implementation in versions of Linux kernel prior to 4.14.8. A local attacker could exploit this vulnerability by...

keycloak: timing attack in JWS signature verification

It was found that keycloak's implementation of HMAC verification for JWS tokens uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks...

jose-php information disclosure vulnerability (CNVD-2016-07257)

jose-php is suitable for PHP JSON object signature and encryption library . A security vulnerability exists in versions of jose-php prior to 2.2.1, due to the non-use of constant time for HMAC comparisons. Remote attackers can obtain sensitive information by timing attacks...

rubygem-rack: Timing attack in cookie sessions

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that doe...

DEBIAN-CVE-2010-4803

Mojolicious before 0.999927 does not properly implement HMAC-MD5 checksums, which has unspecified impact and remote attack vectors...

kernel: sctp memory corruption in HMAC handling

The sctpauthasocgethmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not properly validate the hmacids array of an SCTP peer, which allows remote attackers to cause a denial of service memory corruption and panic via a crafted value in the last element of this array...

kernel: sctp memory corruption in HMAC handling

The sctpauthasocgethmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not properly validate the hmacids array of an SCTP peer, which allows remote attackers to cause a denial of service memory corruption and panic via a crafted value in the last element of this array...