jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication

A flaw was found in pgjdbc, an open-source PostgreSQL JDBC Driver. A malicious server can exploit this vulnerability by instructing the driver to perform SCRAM-SHA-256 Salted Challenge Response Authentication Mechanism Secure Hash Algorithm 256 authentication with an excessively large iteration...

jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication

A flaw was found in pgjdbc, an open-source PostgreSQL JDBC Driver. A malicious server can exploit this vulnerability by instructing the driver to perform SCRAM-SHA-256 Salted Challenge Response Authentication Mechanism Secure Hash Algorithm 256 authentication with an excessively large iteration...

CVE-2026-33204

A flaw was found in SimpleJWT, a PHP library for JSON Web Tokens. An unauthenticated attacker can exploit this vulnerability by tampering with JSON Web Encryption JWE headers when Password-Based Key Derivation Function 2 PBES2 algorithms are in use. This can lead to a Denial of Service DoS if an...

EUVD-2026-2025

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sumpassphrase. Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2...

GHSA-36H5-VRQ6-PP34 Jervis's Salt for PBKDF2 derived from password

Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovyL869-L870...

Security Bulletin: Vulnerabilities in pbkdf2 affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.

Summary Potential vulnerabilities in pbkdf2 has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...

ROS-20250827-06

A vulnerability in the pbkdf2 library of the Node.js software platform is related to a flaw in the input data validation mechanism. of input data. Exploitation of the vulnerability could allow an attacker acting remotely to forge a digital signature by sending specially crafted packets...

@0cfg/utils-node (>=0.1.2 <=0.1.8), @b0ase/path402-api (=4.0.0-alpha.1) +262 more potentially affected by CVE-2025-6545 via pbkdf2 (>=3.0.12 <=3.1.2)

pbkdf2 NPM version =3.0.12, =0.1.2, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =2.38.0, =1.45.0, =1.1.14, =1.20.2, =1.3.13, =3.8.1, =4.26.0 and more Source cves: CVE-2025-6545 Source advisory: OSV:GHSA-H7CP-R72F-JXH6...

Use of insecure cryptographic algorithms

This crate uses a number of cryptographic algorithms that are no longer considered secure and it uses them in ways that do not guarantee the integrity of the encrypted data. MagicCrypt64 uses the insecure DES block cipher in CBC mode without authentication. This allows for practical brute force a...

jose4j: denial of service via specially crafted JWE

A flaw was found in the jose.4.j jose4j library. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c PBES2 Count. This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down...

GHSA-CW2R-4P82-QV79 DoS with algorithms that use PBKDF2 due to unbounded PBES2 Count value

Impact Denial of Service, Applications that allow the use of the PBKDF2 algorithm. Patches A patch is available that sets the maximum number of default rounds. Workarounds Applications that do not need to use PBKDF2 should simply specify the algorithms use and exclude it from the list. Applicatio...

PT-2023-7638 · Unknown · Lestrrat-Go/Jwx

Name of the Vulnerable Software and Affected Versions: lestrrat-go/jwx versions prior to 1.2.27 lestrrat-go/jwx versions prior to 2.0.18 Description: The issue is related to the JWE key management algorithms based on PBKDF2, which require a JOSE Header Parameter called p2c PBES2 Count. This...

SUSE CVE-2015-2936

MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service CPU consumption via a long password...