Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

CVE-2023-27987 (GCVE-0-2023-27987)

Vulnerability from cvelistv5 – Published: 2023-04-10 07:37 – Updated: 2024-10-17 20:20
VLAI
Title
Apache Linkis gateway module token authentication bypass
Summary
In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization[1] https://linkis.apache.org/docs/latest/auth/token https://linkis.apache.org/docs/latest/auth/token
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-326 - Inadequate Encryption Strength
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache Linkis Affected: 0 , ≤ 1.3.1 (maven)
Create a notification for this product.
apache linkis Affected: 0 , ≤ 1.3.1 (custom)
    cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Laihan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T12:23:30.699Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/3cr1cz3210wzwngldwrqzm43vwhghp0p"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2023/04/10/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linkis",
            "vendor": "apache",
            "versions": [
              {
                "lessThanOrEqual": "1.3.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-27987",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-17T20:20:28.978438Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-17T20:20:41.204Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Linkis",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.3.1",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Laihan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\nIn Apache Linkis \u0026lt;=1.3.1,\u0026nbsp;due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack.\u0026nbsp;Generation rules should add random values.\u003cbr\u003e\n\n\n\nWe recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization[1]\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://linkis.apache.org/docs/latest/auth/token\"\u003ehttps://linkis.apache.org/docs/latest/auth/token\u003c/a\u003e\n\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "\nIn Apache Linkis \u003c=1.3.1,\u00a0due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack.\u00a0Generation rules should add random values.\n\n\n\n\nWe recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization[1]\n https://linkis.apache.org/docs/latest/auth/token https://linkis.apache.org/docs/latest/auth/token \n\n\n\n\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326 Inadequate Encryption Strength",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-14T07:51:55.696Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread/3cr1cz3210wzwngldwrqzm43vwhghp0p"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2023/04/10/3"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Linkis gateway module token authentication bypass",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-27987",
    "datePublished": "2023-04-10T07:37:07.558Z",
    "dateReserved": "2023-03-09T07:54:39.525Z",
    "dateUpdated": "2024-10-17T20:20:41.204Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-21444 (GCVE-0-2023-21444)

Vulnerability from cvelistv5 – Published: 2023-02-09 00:00 – Updated: 2025-03-24 19:07
VLAI
Summary
Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or inject commands.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-326 - Inadequate Encryption Strength
Assigner
Impacted products
Vendor Product Version
Samsung Mobile Samsung Flow for PC Affected: unspecified , < 4.9.14.0 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T09:36:34.443Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=02"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-21444",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-24T19:07:29.438435Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-24T19:07:37.368Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Samsung Flow for PC",
          "vendor": "Samsung Mobile",
          "versions": [
            {
              "lessThan": "4.9.14.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper cryptographic implementation in Samsung Flow for PC 4.9.14.0 allows adjacent attackers to decrypt encrypted messages or inject commands."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326 Inadequate Encryption Strength",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-09T00:00:00.000Z",
        "orgId": "3af57064-a867-422c-b2ad-40307b65c458",
        "shortName": "Samsung Mobile"
      },
      "references": [
        {
          "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=02"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458",
    "assignerShortName": "Samsung Mobile",
    "cveId": "CVE-2023-21444",
    "datePublished": "2023-02-09T00:00:00.000Z",
    "dateReserved": "2022-11-14T00:00:00.000Z",
    "dateUpdated": "2025-03-24T19:07:37.368Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-21443 (GCVE-0-2023-21443)

Vulnerability from cvelistv5 – Published: 2023-02-09 00:00 – Updated: 2025-03-24 19:07
VLAI
Summary
Improper cryptographic implementation in Samsung Flow for Android prior to version 4.9.04 allows adjacent attackers to decrypt encrypted messages or inject commands.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-326 - Inadequate Encryption Strength
Assigner
Impacted products
Vendor Product Version
Samsung Mobile Samsung Flow for Android Affected: unspecified , < 4.9.04 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T09:36:34.510Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=02"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-21443",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-24T19:07:50.914165Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-24T19:07:57.762Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Samsung Flow for Android",
          "vendor": "Samsung Mobile",
          "versions": [
            {
              "lessThan": "4.9.04",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper cryptographic implementation in Samsung Flow for Android prior to version 4.9.04 allows adjacent attackers to decrypt encrypted messages or inject commands."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326 Inadequate Encryption Strength",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-09T00:00:00.000Z",
        "orgId": "3af57064-a867-422c-b2ad-40307b65c458",
        "shortName": "Samsung Mobile"
      },
      "references": [
        {
          "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=02"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458",
    "assignerShortName": "Samsung Mobile",
    "cveId": "CVE-2023-21443",
    "datePublished": "2023-02-09T00:00:00.000Z",
    "dateReserved": "2022-11-14T00:00:00.000Z",
    "dateUpdated": "2025-03-24T19:07:57.762Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-4333 (GCVE-0-2023-4333)

Vulnerability from cvelistv5 – Published: 2023-08-15 18:25 – Updated: 2025-11-04 16:10
VLAI
Title
Broadcom RAID Controller web interface doesn’t enforce SSL cipher ordering by server
Summary
Broadcom RAID Controller web interface doesn’t enforce SSL cipher ordering by server
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-326 - Inadequate Encryption Strength
Assigner
Impacted products
Vendor Product Version
Broadcom LSI Storage Authority (LSA) Affected: 0 , < 7.017.011.000 (custom)
Create a notification for this product.
Credits
Intel DCG
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T16:10:26.180Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/resources/product-security-center"
          },
          {
            "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4333",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-08T19:34:27.460689Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-08T19:34:36.730Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "LSI Storage Authority (LSA)",
          "vendor": "Broadcom",
          "versions": [
            {
              "lessThan": "7.017.011.000",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Intel DCG"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Broadcom RAID Controller web interface doesn\u2019t enforce SSL cipher ordering by server"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326 Inadequate Encryption Strength",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-24T14:43:56.277Z",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "url": "https://www.broadcom.com/support/resources/product-security-center"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This issue is fixed in 7.017.011.000. For more information please contact your Broadcom representative."
            }
          ],
          "value": "This issue is fixed in 7.017.011.000. For more information please contact your Broadcom representative."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Broadcom RAID Controller web interface doesn\u2019t enforce SSL cipher ordering by server",
      "x_generator": {
        "engine": "cveClient/1.0.15"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2023-4333",
    "datePublished": "2023-08-15T18:25:37.222Z",
    "dateReserved": "2023-08-14T21:25:58.657Z",
    "dateUpdated": "2025-11-04T16:10:26.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-4129 (GCVE-0-2023-4129)

Vulnerability from cvelistv5 – Published: 2023-09-27 15:44 – Updated: 2024-09-23 15:06
VLAI
Summary
Dell Data Protection Central, version 19.9, contains an Inadequate Encryption Strength Vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, allowing an attacker to recover plaintext from a block of ciphertext.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-326 - Inadequate Encryption Strength
Assigner
References
Impacted products
Vendor Product Version
Dell Data Protection Central Affected: Version 19.9.0-10
Create a notification for this product.
Date Public
2023-09-27 06:30
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:17:12.135Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.dell.com/support/kbdoc/en-us/000218045/dsa-2023-346-security-update-for-dell-data-protection-central"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4129",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-23T14:31:10.958186Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-23T15:06:03.197Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Data Protection Central",
          "vendor": "Dell",
          "versions": [
            {
              "status": "affected",
              "version": "Version 19.9.0-10"
            }
          ]
        }
      ],
      "datePublic": "2023-09-27T06:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDell Data Protection Central, version 19.9, contains an Inadequate Encryption Strength Vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, allowing an attacker to recover plaintext from a block of ciphertext.\u003c/span\u003e\n\n"
            }
          ],
          "value": "\nDell Data Protection Central, version 19.9, contains an Inadequate Encryption Strength Vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, allowing an attacker to recover plaintext from a block of ciphertext.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326: Inadequate Encryption Strength",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-27T15:44:02.272Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.dell.com/support/kbdoc/en-us/000218045/dsa-2023-346-security-update-for-dell-data-protection-central"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2023-4129",
    "datePublished": "2023-09-27T15:44:02.272Z",
    "dateReserved": "2023-08-03T07:17:20.819Z",
    "dateUpdated": "2024-09-23T15:06:03.197Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3243 (GCVE-0-2023-3243)

Vulnerability from cvelistv5 – Published: 2023-06-28 20:23 – Updated: 2024-08-02 06:48 Unsupported When Assigned
VLAI
Summary
** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authenticating hash and utilize it to create new sessions. The hash is also a poorly salted MD5 hash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X. Recommended fix: Upgrade to a supported product such as Alerton ACM.] Out of an abundance of caution, this CVE ID is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. 
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-290 - Authentication Bypass by Spoofing
  • CWE-326 - Inadequate Encryption Strength
Assigner
References
Impacted products
Vendor Product Version
Alerton BCM-WEB Affected: 3.3.X , ≤ 3.3.X* (semver)
Create a notification for this product.
honeywell alerton_bcm-web_firmware Affected: -
    cpe:2.3:o:honeywell:alerton_bcm-web_firmware:-:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:honeywell:alerton_bcm-web_firmware:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "alerton_bcm-web_firmware",
            "vendor": "honeywell",
            "versions": [
              {
                "status": "affected",
                "version": "-"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-3243",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-29T19:36:19.657479Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:17:36.156Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:48:08.512Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.honeywell.com/us/en/product-security"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "BCM-WEB",
          "vendor": "Alerton",
          "versions": [
            {
              "lessThanOrEqual": "3.3.X*",
              "status": "affected",
              "version": "3.3.X",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\n\n** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authenticating hash\nand utilize it to create new sessions. The hash is also a poorly salted MD5\nhash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eRecommended fix:  Upgrade to a supported product such\nas \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbuildings.honeywell.com%2Fcontent%2Fdam%2Fhbtbt%2Fen%2Fdocuments%2Fdownloads%2FACM-Data-Sheet.pdf\u0026amp;data=05%7C01%7CAbigail.Palacios%40Honeywell.com%7C1d6c8efd4d004d4c794708db7420781b%7C96ece5269c7d48b08daf8b93c90a5d18%7C0%7C0%7C638231455033412035%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C\u0026amp;sdata=0eiTwALAM%2BDi2WPUs%2F4dVN8eNxZQStfqxMqCRfTYpBM%3D\u0026amp;reserved=0\"\u003eAlerton\nACM\u003c/a\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e.\u003c/span\u003e] Out of an abundance of caution, this CVE ID is being assigned to \nbetter serve our customers and ensure all who are still running this product understand \nthat the product is end of life and should be removed or upgraded.\u0026nbsp;\u003c/p\u003e\n\n\n\n\n\n"
            }
          ],
          "value": "\n** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authenticating hash\nand utilize it to create new sessions. The hash is also a poorly salted MD5\nhash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X.\u00a0Recommended fix:  Upgrade to a supported product such\nas Alerton\nACM.] Out of an abundance of caution, this CVE ID is being assigned to \nbetter serve our customers and ensure all who are still running this product understand \nthat the product is end of life and should be removed or upgraded.\u00a0\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290 Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326 Inadequate Encryption Strength",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-25T14:09:27.255Z",
        "orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
        "shortName": "Honeywell"
      },
      "references": [
        {
          "url": "https://www.honeywell.com/us/en/product-security"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
    "assignerShortName": "Honeywell",
    "cveId": "CVE-2023-3243",
    "datePublished": "2023-06-28T20:23:21.810Z",
    "dateReserved": "2023-06-14T13:51:12.389Z",
    "dateUpdated": "2024-08-02T06:48:08.512Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-2197 (GCVE-0-2023-2197)

Vulnerability from cvelistv5 – Published: 2023-05-01 19:41 – Updated: 2025-02-13 16:40
VLAI
Title
Vault Enterprise Vulnerable to Padding Oracle Attacks When Using a CBC-based Encryption Mechanism with a HSM
Summary
HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the CKM_AES_CBC_PAD or CKM_AES_CBC encryption mechanisms. An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault’s root key. Fixed in 1.13.2
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-326 - Inadequate Encryption Strength
Assigner
Impacted products
Vendor Product Version
HashiCorp Vault Enterprise Affected: 1.13.0 , ≤ 1.13.1 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:12:20.674Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2023-14-vault-enterprise-vulnerable-to-padding-oracle-attacks-when-using-a-cbc-based-encryption-mechanism-with-a-hsm/53322"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230609-0007/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 2.5,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-2197",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-30T15:18:23.974609Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-326",
                "description": "CWE-326 Inadequate Encryption Strength",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-30T15:20:35.099Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows",
            "Linux",
            "x86",
            "64 bit",
            "32 bit"
          ],
          "product": "Vault Enterprise",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThanOrEqual": "1.13.1",
              "status": "affected",
              "version": "1.13.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the\u0026nbsp;CKM_AES_CBC_PAD or\u0026nbsp;CKM_AES_CBC encryption mechanisms.\u0026nbsp;An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault\u2019s root key. Fixed in 1.13.2"
            }
          ],
          "value": "HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a padding oracle attack when using an HSM in conjunction with the\u00a0CKM_AES_CBC_PAD or\u00a0CKM_AES_CBC encryption mechanisms.\u00a0An attacker with privileges to modify storage and restart Vault may be able to intercept or modify cipher text in order to derive Vault\u2019s root key. Fixed in 1.13.2"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-463",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-463 Padding Oracle Crypto Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326 Inadequate Encryption Strength",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-09T07:06:37.124Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2023-14-vault-enterprise-vulnerable-to-padding-oracle-attacks-when-using-a-cbc-based-encryption-mechanism-with-a-hsm/53322"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230609-0007/"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Vault Enterprise Vulnerable to Padding Oracle Attacks When Using a CBC-based Encryption Mechanism with a HSM"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2023-2197",
    "datePublished": "2023-05-01T19:41:17.600Z",
    "dateReserved": "2023-04-20T19:03:10.324Z",
    "dateUpdated": "2025-02-13T16:40:36.424Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-1764 (GCVE-0-2023-1764)

Vulnerability from cvelistv5 – Published: 2023-05-17 00:00 – Updated: 2025-01-22 19:47
VLAI
Summary
Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the communication of the software.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-326 - Inadequate Encryption Strength
Assigner
Impacted products
Vendor Product Version
Canon Inc. Canon IJ NW Tool Affected: Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:57:24.994Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://psirt.canon/advisory-information/cp2023-002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://psirt.canon/hardening/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1764",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-22T19:47:15.479601Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-22T19:47:20.955Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Canon IJ NW Tool",
          "vendor": "Canon Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8)"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the communication of the software."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326: Inadequate Encryption Strength",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-17T00:00:00.000Z",
        "orgId": "f98c90f0-e9bd-4fa7-911b-51993f3571fd",
        "shortName": "Canon"
      },
      "references": [
        {
          "url": "https://psirt.canon/advisory-information/cp2023-002/"
        },
        {
          "url": "https://psirt.canon/hardening/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f98c90f0-e9bd-4fa7-911b-51993f3571fd",
    "assignerShortName": "Canon",
    "cveId": "CVE-2023-1764",
    "datePublished": "2023-05-17T00:00:00.000Z",
    "dateReserved": "2023-03-31T00:00:00.000Z",
    "dateUpdated": "2025-01-22T19:47:20.955Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-41209 (GCVE-0-2022-41209)

Vulnerability from cvelistv5 – Published: 2022-10-11 00:00 – Updated: 2025-05-20 15:00
VLAI
Summary
SAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses encryption method which lacks proper diffusion and does not hide the patterns well. This can lead to information disclosure. In certain scenarios, application might also be susceptible to replay attacks.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
sap
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:35:49.635Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/3248970"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "PHYSICAL",
              "availabilityImpact": "NONE",
              "baseScore": 5.2,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-41209",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-20T15:00:32.753910Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-20T15:00:36.753Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP Customer Data Cloud (Gigya)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "7.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses encryption method which lacks proper diffusion and does not hide the patterns well. This can lead to information disclosure. In certain scenarios, application might also be susceptible to replay attacks.\u003c/p\u003e"
            }
          ],
          "value": "SAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses encryption method which lacks proper diffusion and does not hide the patterns well. This can lead to information disclosure. In certain scenarios, application might also be susceptible to replay attacks.\n\n"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-08T16:10:43.752Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
        },
        {
          "url": "https://launchpad.support.sap.com/#/notes/3248970"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2022-41209",
    "datePublished": "2022-10-11T00:00:00.000Z",
    "dateReserved": "2022-09-21T00:00:00.000Z",
    "dateUpdated": "2025-05-20T15:00:36.753Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-40745 (GCVE-0-2022-40745)

Vulnerability from cvelistv5 – Published: 2024-04-19 17:01 – Updated: 2024-08-03 12:28
VLAI
Title
IBM Aspera Faspex information disclosure
Summary
IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to weaker than expected security. IBM X-Force ID: 236452.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-326 - Inadequate Encryption Strength
Assigner
ibm
Impacted products
Vendor Product Version
IBM Aspera Faspex Affected: 5.0.0 , ≤ 5.0.7 (semver)
Create a notification for this product.
ibm aspera_faspex Affected: 5.0.0
    cpe:2.3:a:ibm:aspera_faspex:5.0.0:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ibm:aspera_faspex:5.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "aspera_faspex",
            "vendor": "ibm",
            "versions": [
              {
                "status": "affected",
                "version": "5.0.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-40745",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-23T19:21:53.504235Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:15:38.344Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:28:42.305Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/7148632"
          },
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/236452"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Aspera Faspex",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "5.0.7",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to weaker than expected security.  IBM X-Force ID:  236452."
            }
          ],
          "value": "IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to weaker than expected security.  IBM X-Force ID:  236452."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-326",
              "description": "CWE-326 Inadequate Encryption Strength",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-19T17:01:38.927Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7148632"
        },
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/236452"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Aspera Faspex information disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2022-40745",
    "datePublished": "2024-04-19T17:01:38.927Z",
    "dateReserved": "2022-09-16T16:24:40.585Z",
    "dateUpdated": "2024-08-03T12:28:42.305Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.