Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

633 vulnerabilities reference this CWE, most recent first.

GHSA-V9VJ-9PXV-MR2W

Vulnerability from github – Published: 2023-10-20 00:30 – Updated: 2024-09-26 14:11
VLAI
Summary
mycli has Inadequate Encryption Strength
Details

Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mycli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-44690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-20T22:31:26Z",
    "nvd_published_at": "2023-10-19T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via `/mycli/config.py`.",
  "id": "GHSA-v9vj-9pxv-mr2w",
  "modified": "2024-09-26T14:11:06Z",
  "published": "2023-10-20T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dbcli/mycli/issues/1131"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dbcli/mycli"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mycli/PYSEC-2023-213.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "mycli has Inadequate Encryption Strength"
}

GHSA-VC89-HCCF-RQ55

Vulnerability from github – Published: 2022-01-06 23:48 – Updated: 2025-12-16 22:29
VLAI
Summary
Hash collision in typelevel jawn
Details

Impact

Extenders of the org.typelevel.jawn.SimpleFacade and org.typelevel.jawn.MutableFacade who don't override objectContext() are vulnerable to a hash collision attack. Most applications do not implement these traits directly, but inherit from a library:

Affected implementations include: * org.http4s :: http4s-play-json * org.typelevel :: jawn-ast (< 0.8.0) * org.typelevel :: jawn-play (discontinued) * org.typelevel :: jawn-rojoma (discontinued) * org.typelevel :: jawn-spray (discontinued)

Unaffected implementations include: * io.argonaut :: argonaut-jawn * io.circe :: circe-parser * org.typelevel :: jawn-ast (>= 0.8.0) * org.typelevel :: jawn-json4s (discontinued) * org.typelevel :: jawn-argonaut (discontinued)

Patches

jawn-parser-1.3.2 fixes the issue.

Workarounds

Override objectContext() to use a collision-safe collection. See the patch for an example in both SimpleFacade and MutableFacade.

References

  • https://github.com/typelevel/jawn/pull/390

Credits

  • @kag0, for the report and the patch

For more information

If you have any questions or comments about this advisory: * Open an issue in typelevel/jawn * E-mail a maintainer: * @rossabaker

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_0.25"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parserg"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_0.27"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.10"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.13.0-M5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.13.0-RC1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.13.0-RC2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_2.13.0-RC3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-M1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-M2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-M3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-RC1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-RC2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.3.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.typelevel:jawn-parser_3.0.0-RC3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T20:19:30Z",
    "nvd_published_at": "2022-01-05T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nExtenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don\u0027t override `objectContext()` are vulnerable to a hash collision attack.  Most applications do not implement these traits directly, but inherit from a library:\n\nAffected implementations include:\n* `org.http4s` :: `http4s-play-json`\n* `org.typelevel :: jawn-ast` (\u003c 0.8.0)\n* `org.typelevel :: jawn-play` (discontinued)\n* `org.typelevel :: jawn-rojoma` (discontinued)\n* `org.typelevel :: jawn-spray` (discontinued)\n\nUnaffected implementations include:\n* `io.argonaut :: argonaut-jawn`\n* `io.circe :: circe-parser`\n* `org.typelevel :: jawn-ast` (\u003e= 0.8.0)\n* `org.typelevel :: jawn-json4s` (discontinued)\n* `org.typelevel :: jawn-argonaut` (discontinued)\n\n### Patches\n\n`jawn-parser-1.3.2` fixes the issue.\n\n### Workarounds\n\nOverride `objectContext()` to use a collision-safe collection.  See [the patch](https://github.com/typelevel/jawn/pull/390/files) for an example in both `SimpleFacade` and `MutableFacade`.\n\n### References\n\n* https://github.com/typelevel/jawn/pull/390\n\n### Credits\n\n* @kag0, for the report and the patch\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [typelevel/jawn](https://github.com/typelevel/jawn)\n* E-mail a maintainer:\n  * [@rossabaker](mailto:ross@rossabaker.com)",
  "id": "GHSA-vc89-hccf-rq55",
  "modified": "2025-12-16T22:29:13Z",
  "published": "2022-01-06T23:48:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/jawn/security/advisories/GHSA-vc89-hccf-rq55"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/jawn/pull/390"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/typelevel/jawn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hash collision in typelevel jawn"
}

GHSA-VCV8-7FR8-7XQG

Vulnerability from github – Published: 2025-10-29 18:30 – Updated: 2025-11-07 15:31
VLAI
Details

Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-29T17:15:34Z",
    "severity": "CRITICAL"
  },
  "details": "Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .",
  "id": "GHSA-vcv8-7fr8-7xqg",
  "modified": "2025-11-07T15:31:27Z",
  "published": "2025-10-29T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12478"
    },
    {
      "type": "WEB",
      "url": "https://azure-access.com/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VF2V-X8QH-F73H

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 140397.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-17T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 140397.",
  "id": "GHSA-vf2v-x8qh-f73h",
  "modified": "2022-05-13T01:23:16Z",
  "published": "2022-05-13T01:23:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1466"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/140397"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ssg1S1012263"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ssg1S1012282"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ssg1S1012283"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104349"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFMM-JM4V-7FRQ

Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2025-04-22 22:16
VLAI
Summary
Apache Wicket insecure defaults
Details

Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.wicket:wicket-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.wicket:wicket-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-beta1"
            },
            {
              "fixed": "6.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.wicket:wicket-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0-M1"
            },
            {
              "fixed": "7.0.0-M5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-7808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-22T22:16:01Z",
    "nvd_published_at": "2017-09-15T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.",
  "id": "GHSA-vfmm-jm4v-7frq",
  "modified": "2025-04-22T22:16:01Z",
  "published": "2022-05-13T01:27:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7808"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/wicket/commit/d2b8848346b8f806e747dca18799d70c37fc893f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/wicket"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/rqy6lpo5mzco85cbf65r53vdh87gz77b"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20180830051017/https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Wicket insecure defaults"
}

GHSA-VFQW-83WW-JR3V

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2025-04-11 04:15
VLAI
Details

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-4508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-11-08T04:47:00Z",
    "severity": "HIGH"
  },
  "details": "lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.",
  "id": "GHSA-vfqw-83ww-jr3v",
  "modified": "2025-04-11T04:15:49Z",
  "published": "2022-05-13T01:11:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4508"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2013/dsa-2795"
    },
    {
      "type": "WEB",
      "url": "http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/en/jp/JVN37417423/index.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2013/11/04/19"
    },
    {
      "type": "WEB",
      "url": "http://redmine.lighttpd.net/issues/2525"
    },
    {
      "type": "WEB",
      "url": "http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2913/diff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGVM-464W-97H8

Vulnerability from github – Published: 2022-09-01 00:00 – Updated: 2022-11-15 12:00
VLAI
Details

All versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric PLCs and XG5000 PLC programming software are affected where passwords are not adequately encrypted during the communication process between the XG5000 software and the affected PLC. This would allow an attacker to identify and decrypt the affected PLC’s password by sniffing the traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-31T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric PLCs and XG5000 PLC programming software are affected where passwords are not adequately encrypted during the communication process between the XG5000 software and the affected PLC. This would allow an attacker to identify and decrypt the affected PLC\u2019s password by sniffing the traffic.",
  "id": "GHSA-vgvm-464w-97h8",
  "modified": "2022-11-15T12:00:19Z",
  "published": "2022-09-01T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2758"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ8W-5833-F867

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2022-05-24 17:03
VLAI
Details

An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-12T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.",
  "id": "GHSA-vj8w-5833-f867",
  "modified": "2022-05-24T17:03:22Z",
  "published": "2022-05-24T17:03:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17428"
    },
    {
      "type": "WEB",
      "url": "https://know.bishopfox.com/advisories"
    },
    {
      "type": "WEB",
      "url": "https://know.bishopfox.com/advisories/solismed-critical"
    },
    {
      "type": "WEB",
      "url": "https://www.solismed.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VQ55-FW4V-2C2W

Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-26 00:01
VLAI
Details

Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory.",
  "id": "GHSA-vq55-fw4v-2c2w",
  "modified": "2022-04-26T00:01:02Z",
  "published": "2022-04-16T00:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20677"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-yuXQ6hFj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VRMC-C625-VVF7

Vulnerability from github – Published: 2021-12-14 00:00 – Updated: 2021-12-16 00:02
VLAI
Details

IBM Spectrum Copy Data Management 2.2.13 and earlier uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 211242.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-13T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Spectrum Copy Data Management 2.2.13 and earlier uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 211242.",
  "id": "GHSA-vrmc-c625-vvf7",
  "modified": "2021-12-16T00:02:43Z",
  "published": "2021-12-14T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38947"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211242"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6525554"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.