CVE-2024-36121 netty-incubator-codec-ohttp's BoringSSLAEADContext Repeats Nonces

netty-incubator-codec-ohttp is the OHTTP implementation for netty. BoringSSLAEADContext keeps track of how many OHTTP responses have been sent and uses this sequence number to calculate the appropriate nonce to use with the encryption algorithm. Unfortunately, two separate errors combine which...

Ross Anderson

Ross Anderson unexpectedly passed away Thursday night in, I believe, his home in Cambridge. I cant remember when I first met Ross. Of course it was before 2008, when we created the Security and Human Behavior workshop. It was well before 2001, when we created the Workshop on Economics and...

Dell PowerScale OneFS Encryption Issue Vulnerability (CNVD-2024-16188)

Dell PowerScale OneFS is an operating system from Dell USA. PowerScale OneFS operating system that provides horizontal scaling of NAS. Dell PowerScale OneFS suffers from an encryption issue vulnerability that stems from the use of a corrupted encryption algorithm, which can be exploited by an...

IBM CICS TX Standard and Advanced suffers from a cryptographic problem vulnerability (CNVD-2024-15366)

IBM CICS TX Standardand Advanced is a comprehensive, single transaction runtime package from International Business Machines IBM, Inc. It can provide a cloud-native deployment model for standalone applications. IBM CICS TX Standard and Advanced has a cryptographic issue vulnerability that stems...

IBM PowerSC Encryption Problem Vulnerability (CNVD-2024-09945)

IBM PowerSC is an International Business Machines IBM security and compliance solution for IBM Power Systems servers. IBM PowerSC has an encryption issue vulnerability that stems from the use of a weaker-than-expected encryption algorithm, which could be exploited by an attacker to decrypt highly...

Null pointer dereference

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serializekeyandcertificates is called with both a certificate whose public key did not match the provided private key and an...

CVE-2024-26130

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serializekeyandcertificates is called with both a certificate whose public key did not match the provided private key and an...

MeshCentral Security Vulnerability

MeshCentral is a complete web-based remote monitoring and management site for the MeshCentral community. A security vulnerability exists in MeshCentral version 1.1.16 that stems from an issue with the use of a corrupted or risky encryption algorithm...

IBM PowerSC 加密问题漏洞

IBM PowerSC is an International Business Machines IBM security and compliance solution for IBM Power Systems servers. IBM PowerSC has an encryption issue vulnerability that stems from the use of a weaker-than-expected encryption algorithm, which could be exploited by an attacker to decrypt highly...

DeviceFarmer STF Security Vulnerability

STF is an open source web application from Device Farmer for remotely debugging smartphones, smartwatches and other gadgets from the comfort of your browser. A security vulnerability exists in DeviceFarmer STF version v3.6.6, which stems from the use of a corrupted or risky encryption algorithm...

CVE-2023-50350

HCL DRYiCE MyXalytics is impacted by the use of a broken cryptographic algorithm for encryption, potentially giving an attacker ability to decrypt sensitive information...

Oops! Black Basta ransomware flubs encryption

Researchers at SRLabs have made a decryption tool available for Black Basta ransomware, allowing some victims of the group to decrypt files without paying a ransom. The decryptor works for victims whose files were encrypted between November 2022 and December 2023. The decryptor, called Black Bast...

Prefix Truncation Attacks in SSH Specification (Terrapin Attack)

The remote SSH server is supporting an specific encryption algorithm or MAC. Parts of their SSH specification are vulnerable to a novel prefix truncation attack a.k.a. Terrapin attack. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, a...

Huawei EulerOS: Security Advisory for samba (EulerOS-SA-2023-2888)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics

The threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors. Monti emerged in June 2022, weeks after the Conti ransomware group shut down its operations, deliberately imitatin...

What Cisco Talos knows about the Rhysida ransomware

Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services HHS warning the healthcare industry about Rhysida ransomware activity. As weve discussed recently, there has been huge growth in the ransomware and extortion space, potentially linked to the...

Debian dla-3515 : libcjose-dev - security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3515 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3515-1 [email protected] https://www.debian.org/lts/security/...

CVE-2023-37464

A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption JWE. A fixed length of 16 octets must ...

Authentication flaw

OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug...

CVE-2023-37464

OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption JOSE. The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug...