GHSA-2J6R-9VV4-6GF5 github.com/bincyber/go-sqlcrypter vulnerable to IV collision

There is a risk of an IV collision using the awskms or aesgcm provider. NIST SP 800-38D section 8.3 states that it is unsafe to encrypt more than 2^32 plaintexts under the same key when using a random IV. The limit could easily be reached given the use case of database column encryption...

github.com/bincyber/go-sqlcrypter vulnerable to IV collision

There is a risk of an IV collision using the awskms or aesgcm provider. NIST SP 800-38D section 8.3 states that it is unsafe to encrypt more than 2^32 plaintexts under the same key when using a random IV. The limit could easily be reached given the use case of database column encryption...

CVE-2024-32042

CVE-2024-32042 affects CyberPower PowerPanel Business Edition (PowerPanel business). Root cause: the cryptographic key used to encrypt passwords stored in the database is present in the PowerPanel application code, allowing recovery of those passwords (Storing Passwords in a Recoverable Format). ...

BIT-REDASH-2021-43780

Redash is a package for data visualization and sharing. In versions 10.0 and priorm the implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery SSRF. These vulnerabilities are only exploitable on installations where a...

Signing DynamoDB Sets when using the AWS Database Encryption SDK.

Impact This advisory addresses an issue when a DynamoDB Set attribute is marked as SIGNONLY in the AWS Database Encryption SDK DB-ESDK for DynamoDB. This also includes when a Set is part of a List or a Map. DB-ESDK for DynamoDB supports SIGNONLY and ENCRYPTANDSIGN attribute actions. In version...

PT-2023-32985 · Amazon · Aws Database Encryption Sdk (Db-Esdk) For Dynamodb

Name of the Vulnerable Software and Affected Versions: AWS Database Encryption SDK DB-ESDK for DynamoDB versions 3.1.0 and below Description: The issue arises when a DynamoDB Set attribute is marked as SIGN ONLY in the AWS Database Encryption SDK DB-ESDK for DynamoDB, including when a Set is part...

CVE-2022-41399

The CVE-2022-41399 issue affects Sage 300 (through 2022) where the optional Web Screens feature uses a hard-coded 40-byte Blowfish key (PASS_KEY) to encrypt/decrypt the PORTAL database connection string in dbconfig.xml. This cryptographic weakness could allow an attacker to access the SQL databas...

CVE-2023-27524 Apache Superset: Session validation vulnerability when using provided default SECRET_KEY

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset...

CVE-2022-3781

Dashlane password and Keepass Server password in My Account Settings are not encrypted in the database in Devolutions Remote Desktop Manager 2022.2.26 and prior versions and Devolutions Server 2022.3.1 and prior versions which allows database users to read the data. This issue affects : Remote...

CVE-2021-27784

The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages...

CVE-2021-27784

The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages...

Design/Logic Flaw

The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages...

CVE-2021-27784 HCL Launch container images may contain non-unique https certificates and database encryption key

The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages...

CVE-2021-27784

CVE-2021-27784 affects HCL Launch Container images, where non-unique HTTPS certificates and a database encryption key are included. The documented vulnerability is limited to the container images and does not affect standard installer packages. The available remediation is a fix that provides dir...

CVE-2021-27784 HCL Launch container images may contain non-unique https certificates and database encryption key

The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages...

PT-2022-9869 · Hcl · Hcl Launch Container

Name of the Vulnerable Software and Affected Versions: HCL Launch Container images affected versions not specified Description: The issue concerns non-unique HTTPS certificates and a database encryption key in the provided HCL Launch Container images. A fix is available, which includes directions...

HCL Technologies HCL Launch 加密问题漏洞

HCL Technologies HCL Launch is a versatile, enterprise-grade continuous delivery automation software from HCL Technologies, Inc. for handling the most complex deployment processes in DevOps. A cryptographic issue vulnerability exists in the HCL Technologies HCL Launch Container that stems from th...

Elixir can leak information due to weak use of crypto

Elixir prior to and including 0.7.1 uses Blowfish in CFB mode without constructing a unique initialization vector IV, which makes it easier for context-dependent users to obtain sensitive information and decrypt the database. A patch has been attached to the initial advisory to mitigate this...

Elixir can leak information due to weak use of crypto

Elixir prior to and including 0.7.1 uses Blowfish in CFB mode without constructing a unique initialization vector IV, which makes it easier for context-dependent users to obtain sensitive information and decrypt the database. A patch has been attached to the initial advisory to mitigate this...

Design/Logic Flaw

In S+ Operations and S+ Historian, the passwords of internal users not Windows Users are encrypted but improperly stored in a database...