CVE-2024-28864

SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded wit...

CVE-2024-28864 [TagAwareCipher] - Decryption Failure (Regex Match)

SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded wit...

Fedora: Security Advisory for plexus-cipher (FEDORA-2024-129d8ca6fc)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 40 Update: plexus-cipher-2.0-11.fc40

Plexus Cipher: encryption/decryption Component...

BIT-VAULT-2023-2197 Vault Enterprise Vulnerable to Padding Oracle Attacks When Using a CBC-based Encryption Mechanism with a HSM

HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKMAESCBCPAD or CKMAESCBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in orde...

The Added Value of SNI-Only Mode in Imperva Cloud WAF

Imperva has modified the default behavior for new cloud WAF sites, now enforcing Server Name Indication SNI-only traffic by default. This shift is aimed at optimizing the utilization of TLS-related features, both those currently in place and those slated for the future roadmap. This blog post wil...

CVE-2023-6935

wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSLSTATICRSA" The define “WOLFSSLSTATICRSA” enables static RSA cipher suites, which is n...

CVE-2023-6935

wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSLSTATICRSA" The define “WOLFSSLSTATICRSA” enables static RSA cipher suites, which is n...

CVE-2023-6935 Marvin Attack vulnerability in SP Math All RSA

wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSLSTATICRSA" The define “WOLFSSLSTATICRSA” enables static RSA cipher suites, which is n...

GLSA-202402-08 : OpenSSL: Multiple Vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202402-08 OpenSSL: Multiple Vulnerabilities - OpenSSL supports creating a custom cipher via the legacy EVPCIPHERmethnew function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors ar...

Marvin Attack

wolfssl is vulnerable to Marvin Attack. The vulnerability is due to the implementation of the RSA cipher within the wolfSSL library, when Enables static RSA cipher suites using the "--enable-all" option and the "-DWOLFSSLSTATICRSA" CFLAGS option.It allows an attacker to decrypt ciphertexts and...

Security Bulletin: TLS padding vulnerability affects Content Manager Enterprise Edition (CVE-2014-8730)

Summary Transport Layer Security TLS padding vulnerability via a POODLE Padding Oracle On Downgraded Legacy Encryption like attack affects Content Manager Enterprise Edition. Vulnerability Details CVE-ID : CVE-2014-8730 DESCRIPTION : Product could allow a remote attacker to obtain sensitive...

GHSA-GR79-9V6V-GC9R Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers

Summary Dex 2.37.0 is serving HTTPS with insecure TLS 1.0 and TLS 1.1. Details While working on https://github.com/dexidp/dex/issues/2848 and implementing configurable TLS support, I noticed my changes did not have any effect in TLS config, so I started investigating...

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers

Summary Dex 2.37.0 is serving HTTPS with insecure TLS 1.0 and TLS 1.1. Details While working on https://github.com/dexidp/dex/issues/2848 and implementing configurable TLS support, I noticed my changes did not have any effect in TLS config, so I started investigating...

Security Bulletin: AIX is vulnerable to a denial of service (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL

Summary Vulnerabilities in OpenSSL could allow a remote attacker to cause a denial of service CVE-2023-5678, CVE-2023-6129, CVE-2023-6237 or obtain sensitive information CVE-2023-5363. OpenSSL is used by AIX as part of AIX's secure network communications. Vulnerability Details CVEID:CVE-2023-5363...

Authentication flaw

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in...

CVE-2024-23656 Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in...

CVE-2024-23656 Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in...

CVE-2024-23656

Dex 2.37.0 serves HTTPS with TLS 1.0/1.1 and non-respected cipher suites because tlsConfig is ignored after the TLS cert reloader; minimum TLS version hardening is ineffective. This can allow eavesdropping on TLS 1.0/1.1 traffic. The issue is fixed in Dex 2.38.0.

openssl security update

1:3.0.7-25.0.1 - Replace upstream references Orabug: 34340177 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted Resolves: RHEL-5317 - Don't limit using SHA1 in KDFs in non-FIPS mode. Resolves: RHEL-5295 - Provide empty evpproperties section in main OpenSSL configuration fi...