CWE-321
Use of Hard-coded Cryptographic Key
The product uses a hard-coded, unchangeable cryptographic key.
CVE-2024-33504 (GCVE-0-2024-33504)
Vulnerability from cvelistv5 – Published: 2025-02-11 16:09 – Updated: 2025-02-11 16:32
VLAI
Summary
A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled.
Severity
CWE
- CWE-321 - Information disclosure
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Fortinet | FortiManager |
Affected:
7.6.0 , ≤ 7.6.1
(semver)
Affected: 7.4.0 , ≤ 7.4.5 (semver) Affected: 7.2.0 , ≤ 7.2.9 (semver) Affected: 7.0.0 , ≤ 7.0.13 (semver) Affected: 6.4.0 , ≤ 6.4.15 (semver) cpe:2.3:o:fortinet:fortimanager:7.6.1:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.6.0:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.4.5:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.4.4:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.4.3:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.4.2:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.4.1:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.4.0:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.2.9:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.2.8:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.2.7:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.2.6:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.2.5:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.2.4:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.2.3:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.2.2:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.2.1:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.2.0:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.13:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.12:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.11:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.10:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.9:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.8:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.7:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.6:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.5:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.4:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.3:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.2:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.1:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:7.0.0:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.15:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.14:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.13:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.12:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.11:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.10:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.9:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.8:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.7:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.6:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.5:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.4:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.3:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.2:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.1:*:*:*:*:*:*:* cpe:2.3:o:fortinet:fortimanager:6.4.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-33504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T16:32:42.643228Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T16:32:53.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:fortinet:fortimanager:7.6.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.6.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.4.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.4.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.4.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.4.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.4.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.4.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.2.9:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.2.8:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.2.7:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.2.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.2.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.2.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.2.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.2.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.2.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.2.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.13:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.12:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.11:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.10:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.9:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.8:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.7:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:7.0.0:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.15:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.14:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.13:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.12:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.11:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.10:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.9:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.8:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.7:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.6:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.5:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.4:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.3:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.2:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.1:*:*:*:*:*:*:*",
"cpe:2.3:o:fortinet:fortimanager:6.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiManager",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "7.6.1",
"status": "affected",
"version": "7.6.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.4.5",
"status": "affected",
"version": "7.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.2.9",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.13",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.15",
"status": "affected",
"version": "6.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9, 7.0 all versions, 6.4 all versions may allow an attacker with JSON API access permissions to decrypt some secrets even if the \u0027private-data-encryption\u0027 setting is enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Information disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T16:09:03.258Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-24-094",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-094"
},
{
"name": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3",
"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-pgc3-m5p5-4vc3"
}
],
"solutions": [
{
"lang": "en",
"value": "Please upgrade to FortiManager version 7.6.2 or above \nPlease upgrade to FortiManager version 7.4.6 or above \nPlease upgrade to FortiManager version 7.2.10 or above \nPlease upgrade to FortiManager Cloud version 7.6.2 or above \nPlease upgrade to FortiManager Cloud version 7.4.6 or above \nPlease upgrade to FortiManager Cloud version 7.2.9 or above"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2024-33504",
"datePublished": "2025-02-11T16:09:03.258Z",
"dateReserved": "2024-04-23T14:18:29.830Z",
"dateUpdated": "2025-02-11T16:32:53.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38314 (GCVE-0-2024-38314)
Vulnerability from cvelistv5 – Published: 2024-10-24 17:23 – Updated: 2024-10-24 19:43
VLAI
Title
IBM Maximo Application Suite - Monitor Component information disclosure
Summary
IBM Maximo Application Suite - Monitor Component 8.10, 8.11, and 9.0 could disclose information in the form of the hard-coded cryptographic key to an attacker that has compromised environment.
Severity
5.9 (Medium)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7173988 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Maximo Application Suite - Monitor Component |
Affected:
8.10, 8.11, 9.0
cpe:2.3:a:ibm:maximo_application_suite:8.10:*:*:*:*:*:*:* cpe:2.3:a:ibm:maximo_application_suite:8.11:*:*:*:*:*:*:* cpe:2.3:a:ibm:maximo_application_suite:9.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T19:43:06.512728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T19:43:18.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:maximo_application_suite:8.10:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:maximo_application_suite:8.11:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:maximo_application_suite:9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Maximo Application Suite - Monitor Component",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "8.10, 8.11, 9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Maximo Application Suite - Monitor Component 8.10, 8.11, and 9.0 could disclose information in the form of the hard-coded cryptographic key to an attacker that has compromised environment."
}
],
"value": "IBM Maximo Application Suite - Monitor Component 8.10, 8.11, and 9.0 could disclose information in the form of the hard-coded cryptographic key to an attacker that has compromised environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T17:23:06.127Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7173988"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Maximo Application Suite - Monitor Component information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-38314",
"datePublished": "2024-10-24T17:23:06.127Z",
"dateReserved": "2024-06-13T21:43:46.666Z",
"dateUpdated": "2024-10-24T19:43:18.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38532 (GCVE-0-2024-38532)
Vulnerability from cvelistv5 – Published: 2024-06-28 21:25 – Updated: 2024-08-02 04:12
VLAI
Title
TEST_KEY used in example dcp_tool reference implementation
Summary
The NXP Data Co-Processor (DCP) is a built-in hardware module for specific NXP SoCs¹ that implements a dedicated AES cryptographic engine for encryption/decryption operations. The dcp_tool reference implementation included in the repository selected the test key, regardless of its `-t` argument. This issue has been patched in commit 26a7.
Severity
7.1 (High)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/usbarmory/mxs-dcp/security/adv… | x_refsource_CONFIRM |
| https://github.com/usbarmory/mxs-dcp/commit/e5a99… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-01T18:09:34.354875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T18:09:44.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/usbarmory/mxs-dcp/security/advisories/GHSA-g85c-rh49-p8cq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/usbarmory/mxs-dcp/security/advisories/GHSA-g85c-rh49-p8cq"
},
{
"name": "https://github.com/usbarmory/mxs-dcp/commit/e5a99cb3d9429e6145495da7d01525c75af426a7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/usbarmory/mxs-dcp/commit/e5a99cb3d9429e6145495da7d01525c75af426a7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mxs-dcp",
"vendor": "usbarmory",
"versions": [
{
"status": "affected",
"version": "\u003e= commit 6151, \u003c commit 26a7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The NXP Data Co-Processor (DCP) is a built-in hardware module for specific NXP SoCs\u00b9 that implements a dedicated AES cryptographic engine for encryption/decryption operations. The dcp_tool reference implementation included in the repository selected the test key, regardless of its `-t` argument. This issue has been patched in commit 26a7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T21:25:42.129Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/usbarmory/mxs-dcp/security/advisories/GHSA-g85c-rh49-p8cq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/usbarmory/mxs-dcp/security/advisories/GHSA-g85c-rh49-p8cq"
},
{
"name": "https://github.com/usbarmory/mxs-dcp/commit/e5a99cb3d9429e6145495da7d01525c75af426a7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/usbarmory/mxs-dcp/commit/e5a99cb3d9429e6145495da7d01525c75af426a7"
}
],
"source": {
"advisory": "GHSA-g85c-rh49-p8cq",
"discovery": "UNKNOWN"
},
"title": "TEST_KEY used in example dcp_tool reference implementation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38532",
"datePublished": "2024-06-28T21:25:42.129Z",
"dateReserved": "2024-06-18T16:37:02.729Z",
"dateUpdated": "2024-08-02T04:12:25.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42418 (GCVE-0-2024-42418)
Vulnerability from cvelistv5 – Published: 2024-08-22 19:52 – Updated: 2024-08-22 20:14
VLAI
Title
Avtec Outpost Use of Hard-coded Cryptographic Key
Summary
Avtec Outpost uses a default cryptographic key that can be used to decrypt sensitive information.
Severity
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Avtec | Outpost 0810 |
Affected:
0 , < v5.0.0
(custom)
|
|
| Avtec | Outpost Uploader Utility |
Affected:
0 , < v5.0.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:avtec:outpost_0810:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "outpost_0810",
"vendor": "avtec",
"versions": [
{
"lessThan": "5.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:avtec:outpost_uploader_utility:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "outpost_uploader_utility",
"vendor": "avtec",
"versions": [
{
"lessThan": "5.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42418",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T20:11:55.031814Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T20:14:28.840Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Outpost 0810",
"vendor": "Avtec",
"versions": [
{
"lessThan": "v5.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Outpost Uploader Utility",
"vendor": "Avtec",
"versions": [
{
"lessThan": "v5.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonathan Fournier of Field Effect reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAvtec Outpost uses a default cryptographic key that can be used to decrypt sensitive information\u003c/span\u003e.\u003c/span\u003e"
}
],
"value": "Avtec Outpost uses a default cryptographic key that can be used to decrypt sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T19:52:32.736Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-235-04"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAvtec recommends users update to Outpost v5.0 to resolve.\u003c/p\u003e\u003cul\u003e\u003cli\u003eWhen upgrading to Outpost Version 5.0.0 or later, reset the list of users to the default. More information and instructions can be found on Avtec\u0027s \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://connect.avtecinc.com/bundle/Outpost_Uploader_Utility_User_Guide/page/Content/Outpost_User_Guide/Reset_Web_Auth.html\"\u003eOutpost Uploader Utility User Guide\u003c/a\u003e\u0026nbsp;for more information.\u003c/li\u003e\u003cli\u003eRestrict access to port 80 or disable web interface if possible.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAdditionally, Avtec recommends checking devices for Scout firmware versions prior to 5.8.1, which was commonly coupled with Outpost firmware. If so, the devices may also need to be updated to the latest firmware. For more information, please visit \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://connect.avtecinc.com/bundle/Scout_Release_Notes_5_8/resource/Release_Notes_Scout.pdf\"\u003eScout Release Notes\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Avtec recommends users update to Outpost v5.0 to resolve.\n\n * When upgrading to Outpost Version 5.0.0 or later, reset the list of users to the default. More information and instructions can be found on Avtec\u0027s Outpost Uploader Utility User Guide https://connect.avtecinc.com/bundle/Outpost_Uploader_Utility_User_Guide/page/Content/Outpost_User_Guide/Reset_Web_Auth.html \u00a0for more information.\n * Restrict access to port 80 or disable web interface if possible.\n\n\nAdditionally, Avtec recommends checking devices for Scout firmware versions prior to 5.8.1, which was commonly coupled with Outpost firmware. If so, the devices may also need to be updated to the latest firmware. For more information, please visit Scout Release Notes https://connect.avtecinc.com/bundle/Scout_Release_Notes_5_8/resource/Release_Notes_Scout.pdf ."
}
],
"source": {
"advisory": "ICSA-24-235-04",
"discovery": "EXTERNAL"
},
"title": "Avtec Outpost Use of Hard-coded Cryptographic Key",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-42418",
"datePublished": "2024-08-22T19:52:32.736Z",
"dateReserved": "2024-08-12T21:29:23.306Z",
"dateUpdated": "2024-08-22T20:14:28.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45837 (GCVE-0-2024-45837)
Vulnerability from cvelistv5 – Published: 2024-11-22 00:13 – Updated: 2024-11-22 11:34
VLAI
Summary
Use of hard-coded cryptographic key issue exists in AIPHONE IX SYSTEM, IXG SYSTEM, and System Support Software. A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files.
Severity
5.4 (Medium)
CWE
- CWE-321 - Use of hard-coded cryptographic key
Assigner
References
Impacted products
56 products
| Vendor | Product | Version | |
|---|---|---|---|
| AIPHONE CO., LTD. | IX-MV |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-MV7-HB |
Affected:
firmware Ver.7.31 and earlier
|
|
| AIPHONE CO., LTD. | IX-MV7-HBT |
Affected:
firmware Ver.7.31 and earlier
|
|
| AIPHONE CO., LTD. | IX-MV7-HW |
Affected:
firmware Ver.7.31 and earlier
|
|
| AIPHONE CO., LTD. | IX-MV7-HWT |
Affected:
firmware Ver.7.31 and earlier
|
|
| AIPHONE CO., LTD. | IX-MV7-HW-JP |
Affected:
firmware Ver.7.31 and earlier
|
|
| AIPHONE CO., LTD. | IX-MV7-B |
Affected:
firmware Ver.7.31 and earlier
|
|
| AIPHONE CO., LTD. | IX-MV7-BT |
Affected:
firmware Ver.7.31 and earlier
|
|
| AIPHONE CO., LTD. | IX-MV7-W |
Affected:
firmware Ver.7.31 and earlier
|
|
| AIPHONE CO., LTD. | IX-MV7-WT |
Affected:
firmware Ver.7.31 and earlier
|
|
| AIPHONE CO., LTD. | IX-DA |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DAU |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DB |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DBT |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-EA |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-EAT |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-EAU |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DV |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DVT |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DVF |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DVF-P |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DVF-L |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DVM |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DU |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DVF-RA |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-DVF-2RA |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-BA |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-BAU |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-BB |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-BBT |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-FA |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-SSA |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-SS-2G |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-SS-2GT |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-SS-2G-N |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-BU |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-SSA-RA |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-SSA-2RA |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-RS-B |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-RS-BT |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-RS-W |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-RS-WT |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IXW-MA |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IX-SPMIC |
Affected:
firmware Ver.7.30 and earlier
|
|
| AIPHONE CO., LTD. | IXG-2C7 |
Affected:
firmware Ver.3.01 and earlier
|
|
| AIPHONE CO., LTD. | IXG-2C7-L |
Affected:
firmware Ver.3.01 and earlier
|
|
| AIPHONE CO., LTD. | IXG-DM7 |
Affected:
firmware Ver.3.00 and earlier
|
|
| AIPHONE CO., LTD. | IXG-DM7-HID |
Affected:
firmware Ver.3.00 and earlier
|
|
| AIPHONE CO., LTD. | IXG-DM7-HIDA |
Affected:
firmware Ver.3.00 and earlier
|
|
| AIPHONE CO., LTD. | IXG-DM7-10K |
Affected:
firmware Ver.3.00 and earlier
|
|
| AIPHONE CO., LTD. | IXG-MK |
Affected:
firmware Ver.3.00 and earlier
|
|
| AIPHONE CO., LTD. | IXGW-GW |
Affected:
firmware Ver.3.01 and earlier
|
|
| AIPHONE CO., LTD. | IXGW-TGW |
Affected:
firmware Ver.3.01 and earlier
|
|
| AIPHONE CO., LTD. | IXGW-LC |
Affected:
firmware Ver.3.00 and earlier
|
|
| AIPHONE CO., LTD. | IX-SupportTool |
Affected:
Ver.10.3.0.0 and earlier
|
|
| AIPHONE CO., LTD. | IXG-SupportTool |
Affected:
Ver.5.0.2.0 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-22T11:29:16.723191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T11:34:09.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "IX-MV",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-MV7-HB",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.31 and earlier"
}
]
},
{
"product": "IX-MV7-HBT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.31 and earlier"
}
]
},
{
"product": "IX-MV7-HW",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.31 and earlier"
}
]
},
{
"product": "IX-MV7-HWT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.31 and earlier"
}
]
},
{
"product": "IX-MV7-HW-JP",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.31 and earlier"
}
]
},
{
"product": "IX-MV7-B",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.31 and earlier"
}
]
},
{
"product": "IX-MV7-BT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.31 and earlier"
}
]
},
{
"product": "IX-MV7-W",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.31 and earlier"
}
]
},
{
"product": "IX-MV7-WT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.31 and earlier"
}
]
},
{
"product": "IX-DA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DAU",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DB",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DBT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-EA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-EAT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-EAU",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DV",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DVT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DVF",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DVF-P",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DVF-L",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DVM",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DU",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DVF-RA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-DVF-2RA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-BA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-BAU",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-BB",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-BBT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-FA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-SSA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-SS-2G",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-SS-2GT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-SS-2G-N",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-BU",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-SSA-RA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-SSA-2RA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-RS-B",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-RS-BT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-RS-W",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-RS-WT",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IXW-MA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IX-SPMIC",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.7.30 and earlier"
}
]
},
{
"product": "IXG-2C7",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.3.01 and earlier"
}
]
},
{
"product": "IXG-2C7-L",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.3.01 and earlier"
}
]
},
{
"product": "IXG-DM7",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.3.00 and earlier"
}
]
},
{
"product": "IXG-DM7-HID",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.3.00 and earlier"
}
]
},
{
"product": "IXG-DM7-HIDA",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.3.00 and earlier"
}
]
},
{
"product": "IXG-DM7-10K",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.3.00 and earlier"
}
]
},
{
"product": "IXG-MK",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.3.00 and earlier"
}
]
},
{
"product": "IXGW-GW",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.3.01 and earlier"
}
]
},
{
"product": "IXGW-TGW",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.3.01 and earlier"
}
]
},
{
"product": "IXGW-LC",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "firmware Ver.3.00 and earlier"
}
]
},
{
"product": "IX-SupportTool",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "Ver.10.3.0.0 and earlier"
}
]
},
{
"product": "IXG-SupportTool",
"vendor": "AIPHONE CO., LTD.",
"versions": [
{
"status": "affected",
"version": "Ver.5.0.2.0 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of hard-coded cryptographic key issue exists in AIPHONE IX SYSTEM, IXG SYSTEM, and System Support Software. A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of hard-coded cryptographic key",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T00:13:01.908Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.aiphone.net/important/20241016_1/"
},
{
"url": "https://www.aiphone.net/important/20241016_2/"
},
{
"url": "https://www.aiphone.net/support/software-documents/ix/"
},
{
"url": "https://www.aiphone.net/support/software-documents/ixg/"
},
{
"url": "https://jvn.jp/en/jp/JVN41397971/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-45837",
"datePublished": "2024-11-22T00:13:01.908Z",
"dateReserved": "2024-09-26T01:39:36.313Z",
"dateUpdated": "2024-11-22T11:34:09.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46889 (GCVE-0-2024-46889)
Vulnerability from cvelistv5 – Published: 2024-11-12 12:49 – Updated: 2024-11-12 14:30
VLAI
Summary
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application uses hard-coded cryptographic key material to obfuscate configuration files. This could allow an attacker to learn that cryptographic key material through reverse engineering of the application binary and decrypt arbitrary backup files.
Severity
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:seimens:sinec_ins:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sinec_ins",
"vendor": "seimens",
"versions": [
{
"lessThan": "V1.0 SP2 Update 3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46889",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:29:00.705847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:30:25.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SINEC INS",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V1.0 SP2 Update 3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SINEC INS (All versions \u003c V1.0 SP2 Update 3). The affected application uses hard-coded cryptographic key material to obfuscate configuration files. This could allow an attacker to learn that cryptographic key material through reverse engineering of the application binary and decrypt arbitrary backup files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T12:49:40.474Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-915275.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2024-46889",
"datePublished": "2024-11-12T12:49:40.474Z",
"dateReserved": "2024-09-12T11:24:19.243Z",
"dateUpdated": "2024-11-12T14:30:25.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47256 (GCVE-0-2024-47256)
Vulnerability from cvelistv5 – Published: 2025-02-06 19:10 – Updated: 2026-01-09 13:31
VLAI
Summary
Successful exploitation of this vulnerability could allow an attacker (who needs to have Admin access privileges) to read hardcoded AES passphrase, which may be used for decryption of certain data within backup files of 2N Access Commander version 1.14 and older.
2N has released an updated version 3.3 of 2N Access Commander, where this vulnerability is mitigated. It is recommended that all customers update 2N Access Commander to the latest version.
Severity
6 (Medium)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| 2N | 2N Access Commander |
Affected:
2N Access Commander 1.14 and prior
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T20:20:51.747816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T20:21:03.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "2N Access Commander",
"vendor": "2N",
"versions": [
{
"status": "affected",
"version": "2N Access Commander 1.14 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eSuccessful exploitation of this vulnerability could allow an attacker (who needs to have Admin access privileges) to read hardcoded AES passphrase, which may be used for decryption of certain data within backup files of 2N Access Commander version 1.14 and older.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\n\n2N has released an updated version 3.3 of 2N Access Commander, where this vulnerability is mitigated. It is recommended that all customers update 2N Access Commander to the latest version.\n\n\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Successful exploitation of this vulnerability could allow an attacker (who needs to have Admin access privileges) to read hardcoded AES passphrase, which may be used for decryption of certain data within backup files of 2N Access Commander version 1.14 and older.\n\n\n\n\n\n\n2N has released an updated version 3.3 of 2N Access Commander, where this vulnerability is mitigated. It is recommended that all customers update 2N Access Commander to the latest version."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T13:31:33.460Z",
"orgId": "f2daf9a0-02c2-4b83-a01d-63b3b304b807",
"shortName": "Axis"
},
"references": [
{
"url": "https://www.2n.com/en-GB/download/cve_2024_47256_acom_3_3_v1pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f2daf9a0-02c2-4b83-a01d-63b3b304b807",
"assignerShortName": "Axis",
"cveId": "CVE-2024-47256",
"datePublished": "2025-02-06T19:10:03.820Z",
"dateReserved": "2024-09-23T16:37:50.255Z",
"dateUpdated": "2026-01-09T13:31:33.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-50564 (GCVE-0-2024-50564)
Vulnerability from cvelistv5 – Published: 2025-01-14 14:09 – Updated: 2025-01-15 14:53
VLAI
Summary
A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named piped.
Severity
CWE
- CWE-321 - Information disclosure
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Fortinet | FortiClientWindows |
Affected:
7.4.0
Affected: 7.2.0 , ≤ 7.2.7 (semver) Affected: 7.0.0 , ≤ 7.0.14 (semver) Affected: 6.4.0 , ≤ 6.4.10 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-15T14:51:55.463826Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-15T14:53:40.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [],
"defaultStatus": "unaffected",
"product": "FortiClientWindows",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "7.4.0"
},
{
"lessThanOrEqual": "7.2.7",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.14",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.10",
"status": "affected",
"version": "6.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named piped."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Information disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T14:09:49.460Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-24-216",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-216"
}
],
"solutions": [
{
"lang": "en",
"value": "Please upgrade to FortiClientWindows version 7.4.1 or above"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2024-50564",
"datePublished": "2025-01-14T14:09:49.460Z",
"dateReserved": "2024-10-24T11:52:14.401Z",
"dateUpdated": "2025-01-15T14:53:40.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52614 (GCVE-0-2024-52614)
Vulnerability from cvelistv5 – Published: 2024-11-20 05:12 – Updated: 2024-11-20 15:16
VLAI
Summary
Use of hard-coded cryptographic key issue exists in "Kura Sushi Official App Produced by EPARK" for Android versions prior to 3.8.5. If this vulnerability is exploited, a local attacker may obtain the login ID and password for the affected product.
Severity
4 (Medium)
CWE
- CWE-321 - Use of hard-coded cryptographic key
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| EPARK, Inc. | Kura Sushi Official App Produced by EPARK |
Affected:
prior to 3.8.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52614",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:11:03.735885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:16:27.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Kura Sushi Official App Produced by EPARK",
"vendor": "EPARK, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to 3.8.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of hard-coded cryptographic key issue exists in \"Kura Sushi Official App Produced by EPARK\" for Android versions prior to 3.8.5. If this vulnerability is exploited, a local attacker may obtain the login ID and password for the affected product."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of hard-coded cryptographic key",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T05:12:41.410Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://play.google.com/store/apps/details?id=jp.co.kura_corpo"
},
{
"url": "https://jvn.jp/en/jp/JVN16114985/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-52614",
"datePublished": "2024-11-20T05:12:41.410Z",
"dateReserved": "2024-11-14T23:27:41.859Z",
"dateUpdated": "2024-11-20T15:16:27.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5296 (GCVE-0-2024-5296)
Vulnerability from cvelistv5 – Published: 2024-05-23 21:29 – Updated: 2024-08-01 21:11
VLAI
Title
D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability
Summary
D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21991.
Severity
9.8 (Critical)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
Date Public
2024-05-14 15:21
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:d-link:d-view:2.0.1.28:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "d-view",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "2.0.1.28"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-24T13:11:43.781611Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T20:06:43.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:11:11.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-24-447",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-447/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "D-View",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "2.0.1.28"
}
]
}
],
"dateAssigned": "2024-05-23T21:28:51.915Z",
"datePublic": "2024-05-14T15:21:23.062Z",
"descriptions": [
{
"lang": "en",
"value": "D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the TokenUtils class. The issue results from a hard-coded cryptographic key. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21991."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-23T21:29:58.566Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-24-447",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-447/"
}
],
"source": {
"lang": "en",
"value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
},
"title": "D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2024-5296",
"datePublished": "2024-05-23T21:29:58.566Z",
"dateReserved": "2024-05-23T21:28:51.883Z",
"dateUpdated": "2024-08-01T21:11:11.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Prevention schemes mirror that of hard-coded password storage.
No CAPEC attack patterns related to this CWE.