Insecure Hashing Algorithm

crypto-js is vulnerable to Insecure Hashing Algorithm. The vulnerability is present because the library uses the cryptographically weak sha1 algorithm by default. This weakness allows an attacker to potentially forge data, certificates, or digital signatures, which could lead to unauthorized acce...

crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard

Impact Summary Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standardOWASP PBKDF2 Cheatsheet. This is because it both 1 defaults to SHA1SHA1 wiki, a cryptographic hash algorithm considered insecure since at leas...

CVE-2023-46133

CVE-2023-46133 documents a weakness in CryptoES prior to v2.1.0 where PBKDF2 was configured by default to use SHA-1 with a single iteration (1,000), making it far weaker than the 1993 specification and current standards. This can impact password protection and digital signatures. A patch is avail...

CVE-2023-46133 crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard

CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a...

jose4j uses weak cryptographic algorithm

jose4j before v0.9.3 allows attackers to set a low PBES2 iteration count of 1000 or less...

Ubuntu 18.04 ESM : Gradle vulnerabilities (USN-4858-1)

The remote Ubuntu 18.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4858-1 advisory. It was discovered that Gradle used an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins were used. A...

Default credentials

Eaton easyE4 PLC offers a device password protection functionality to facilitate a secure connection and prevent unauthorized access. It was observed that the device password was stored with a weak encoding algorithm in the easyE4 program file when exported to SD card .PRG file ending...

Huawei EulerOS: Security Advisory for bind (EulerOS-SA-2023-2911)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for samba (EulerOS-SA-2023-2888)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Announcing the $12k NIST Elliptic Curves Seeds Bounty

The NIST elliptic curves that power much of modern cryptography were generated in the late '90s by hashing seeds provided by the NSA. How were the seeds generated? Rumor has it that they are in turn hashes of English sentences, but the person who picked them, Dr. Jerry Solinas, passed away in ear...

Google libwebp open source library remote code execution vulnerability

WebP is an image format developed by Google, which supports lossy and lossless compression of network images, and its compression effect and speed have certain advantages over PNG and JPEG formats. libwebp is a C/C++ open source library that implements the coding and decoding of the WebP image...

CVE-2023-39252

Dell SCG Policy Manager 5.16.00.14 contains a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by performing MitM attacks and let attackers obtain sensitive information...

CVE-2023-39252

Dell SCG Policy Manager 5.16.00.14 contains a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by performing MitM attacks and let attackers obtain sensitive information...

CVE-2023-39252

Dell EMC SCG Policy Manager 5.16.00.14 is affected by a broken cryptographic algorithm vulnerability that enables remote unauthenticated MitM attacks to obtain sensitive information. Root cause: cryptographic algorithm flaw in the policy manager; CVSS metrics indicate high confidentiality impact ...

Siemens LOGO! 8 BM Use of a Broken or Risky Cryptographic Algorithm (CVE-2020-25230)

A vulnerability has been identified in LOGO! 8 BM incl. SIPLUS variants All versions V8.3. Due to the usage of an outdated cipher mode on port 10005/tcp, an attacker could extract the encryption key from a captured communication with the device. This plugin only works with Tenable.ot. Please visi...

Duplicate Advisory: EVE Doesn't Measure Config Partition From 2 Fronts

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-phcg-h58r-gmcq. This link is maintained to preserve external references. Original Description PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in comm...

Duplicate Advisory: EVE Seals Vault Key With SHA1 PCRs

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wc42-fcjp-v8vq. This link is maintained to preserve external references. Original Description Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism...

CVE-2023-43635

Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the system update different PCR values in the TPM, resulting in a unique value for each PCR entry. These PCRs are then used in order to seal/unseal a key from the...

Signal Messenger Introduces PQXDH Quantum-Resistant Encryption

Encrypted messaging app Signal has announced an update to the Signal Protocol to add support for quantum resistance by upgrading the Extended Triple Diffie-Hellman X3DH specification to Post-Quantum Extended Diffie-Hellman PQXDH. "With this upgrade, we are adding a layer of protection against the...

SUSE SLES15: cobbler / drools / image-sync-formula / inter-server-sync / etc (SUSE-SU-2022:3750-1)

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3750-1 advisory. cobbler: - Consider case of 'nextserver' being a hostname during migration of Cobbler collections. - Fix problem with 'proxyurlext' setting bei...