DEBIAN-CVE-2021-3446

A flaw was found in libtpms in versions before 0.8.2. The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV initialization vector when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the calle...

UBUNTU-CVE-2021-3446

A flaw was found in libtpms in versions before 0.8.2. The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV initialization vector when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the calle...

Arch Linux libtpms 安全特征问题漏洞

Arch Linux libtpms is a US Arch Linux open source application. A library that provides software emulation of Trusted Platform Modules TPM 1.2 and TPM 2.0. Arch Linux libtpms 0.8.2 suffers from a security signature issue vulnerability that stems from not returning the last initialization vector, b...

OESA-2021-1065 php security update

PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is...

The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

...

CVE-2020-1472

A flaw was found in the Microsoft Windows Netlogon Remote Protocol MS-NRPC, where it reuses a known, static, zero-value initialization vector IV in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obta...

Hardcoded Initialization Vector in parsel

All versions of parsel have a default hardcoded initialization vector. In cases where the IV is not provided, the package defaults to a hardcoded IV which renders the cipher vulnerable to chosen plaintext attacks. Recommendation The package is deprecated and will not be updated. Consider using an...

GHSA-2PPP-9496-P23Q Insufficient Entropy in Spring Security

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...

CVE-2020-5408

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...

CVE-2020-5408

CVE-2020-5408 (IBM) affects IBM Sterling Connect:Direct Web Services. A fixed null initialization vector in CBC mode for the queryable text encryptor may allow a dictionary attack to derive unencrypted values, exposing sensitive information. Remediation is via upgrading to supported fixes: IBM St...

CVE-2020-11877

airhost.exe in Zoom Client for Meetings 4.6.11 uses 3423423432325249 as the Initialization Vector IV for AES-256 CBC encryption. NOTE: the vendor states that this IV is used only within unreachable code...

CVE-2020-11877

airhost.exe in Zoom Client for Meetings 4.6.11 uses 3423423432325249 as the Initialization Vector IV for AES-256 CBC encryption. NOTE: the vendor states that this IV is used only within unreachable code...

PT-2020-12911 · Zoom · Zoom Client For Meetings

Name of the Vulnerable Software and Affected Versions: Zoom Client for Meetings version 4.6.11 Description: The issue concerns the use of a static Initialization Vector IV for AES-256 CBC encryption in the airhost.exe component. Specifically, the IV used is 3423423432325249. The vendor notes that...

USN-4306-1 dino-im vulnerabilities

It was discovered that Dino incorrectly validated inputs. An attacker could use this issue to possibly obtain, inject or remove sensitive information. This update also includes a fix to the encryption implementation in Dino to support 12 byte IVs, in addition to 16 byte IVs...

Hardcoded Initialization Vector

Overview All versions of parsel have a default hardcoded initialization vector. In cases where the IV is not provided, the package defaults to a hardcoded IV which renders the cipher vulnerable to chosen plaintext attacks. Recommendation The package is deprecated and will not be updated. Consider...

Insecure Encryption

Overview parsel is a library that allows you to encrypt and decrypt data with a given key. Affected versions of this package are vulnerable to Insecure Encryption. In cases where an initialisation vector is not supplied to the encrypt or decrypt call in parsel.rb, the initialisation vector used b...

Insecure Encryption

Overview parsel is a gem to encrypt and decrypt data with a given key. Affected versions of this package are vulnerable to Insecure Encryption. In cases where an initialisation vector is not supplied to the encrypt or decrypt call in parsel.rb, the initialisation vector used by the library is set...

CVE-2019-19411

USG9500 with versions of V500R001C30SPC100, V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, V500R005C00SPC100, V500R005C00SPC200 have an information leakage vulnerability. Due to improper processing of the initialization vector used in a specific encryption algorithm, an attacker who gai...

GHSA-H7QW-MXRM-C6H2 Unauthenticated crypto and weak IV in Magento\Framework\Encryption

The construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value...

CVE-2019-7886

A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts...