CWE-757
AllowedSelection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Abstraction: Base · Status: Incomplete
A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
48 vulnerabilities reference this CWE, most recent first.
CVE-2025-10693 (GCVE-0-2025-10693)
Vulnerability from cvelistv5 – Published: 2025-10-31 19:20 – Updated: 2025-10-31 19:54- CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
| URL | Tags |
|---|---|
| https://community.silabs.com/068Vm00000WN3J0 | vendor-advisorypermissions-required |
| Vendor | Product | Version | |
|---|---|---|---|
| silabs.com | Silicon Labs Z-Wave SDK |
Affected:
2025.6.0 , ≤ 2025.6.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-31T19:54:37.624347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T19:54:55.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Simplicity SDK",
"product": "Silicon Labs Z-Wave SDK",
"repo": "https://github.com/SiliconLabs/simplicity_sdk",
"vendor": "silabs.com",
"versions": [
{
"lessThanOrEqual": "2025.6.1",
"status": "affected",
"version": "2025.6.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When SmartStart Inclusion fails during the onboarding of a Z-Wave PIR sensor, the sensor will join the network as a non-secure device. This vulnerability exists in Silicon Labs\u0027 Z-Wave PIR Sensor Reference design delivered as part of SiSDK v2025.6.0 and v2025.6.1.\u0026nbsp;"
}
],
"value": "When SmartStart Inclusion fails during the onboarding of a Z-Wave PIR sensor, the sensor will join the network as a non-secure device. This vulnerability exists in Silicon Labs\u0027 Z-Wave PIR Sensor Reference design delivered as part of SiSDK v2025.6.0 and v2025.6.1."
}
],
"impacts": [
{
"capecId": "CAPEC-620",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-620 Drop Encryption Level"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T19:20:16.031Z",
"orgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"shortName": "Silabs"
},
"references": [
{
"tags": [
"vendor-advisory",
"permissions-required"
],
"url": "https://community.silabs.com/068Vm00000WN3J0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Silicon Labs Z-Wave PIR Sensor Joins Network as Non-Secure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"assignerShortName": "Silabs",
"cveId": "CVE-2025-10693",
"datePublished": "2025-10-31T19:20:16.031Z",
"dateReserved": "2025-09-18T14:59:31.624Z",
"dateUpdated": "2025-10-31T19:54:55.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-23656 (GCVE-0-2024-23656)
Vulnerability from cvelistv5 – Published: 2024-01-25 19:45 – Updated: 2025-06-03 18:20| URL | Tags |
|---|---|
| https://github.com/dexidp/dex/security/advisories… | x_refsource_CONFIRM |
| https://github.com/dexidp/dex/issues/2848 | x_refsource_MISC |
| https://github.com/dexidp/dex/pull/2964 | x_refsource_MISC |
| https://github.com/dexidp/dex/commit/5bbdb4420254… | x_refsource_MISC |
| https://github.com/dexidp/dex/blob/70d7a2c7c1bb26… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r"
},
{
"name": "https://github.com/dexidp/dex/issues/2848",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dexidp/dex/issues/2848"
},
{
"name": "https://github.com/dexidp/dex/pull/2964",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dexidp/dex/pull/2964"
},
{
"name": "https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17"
},
{
"name": "https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23656",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T18:20:22.340742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T18:20:38.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dex",
"vendor": "dexidp",
"versions": [
{
"status": "affected",
"version": "= 2.37.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326: Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757: Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-25T19:45:41.237Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r"
},
{
"name": "https://github.com/dexidp/dex/issues/2848",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dexidp/dex/issues/2848"
},
{
"name": "https://github.com/dexidp/dex/pull/2964",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dexidp/dex/pull/2964"
},
{
"name": "https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17"
},
{
"name": "https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425"
}
],
"source": {
"advisory": "GHSA-gr79-9v6v-gc9r",
"discovery": "UNKNOWN"
},
"title": "Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23656",
"datePublished": "2024-01-25T19:45:41.237Z",
"dateReserved": "2024-01-19T00:18:53.235Z",
"dateUpdated": "2025-06-03T18:20:38.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-20069 (GCVE-0-2024-20069)
Vulnerability from cvelistv5 – Published: 2024-06-03 02:04 – Updated: 2024-08-01 21:52- CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
| Vendor | Product | Version | |
|---|---|---|---|
| MediaTek, Inc. | MT6833, MT6853, MT6855, MT6873, MT6875, MT6875T, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8675, MT8771, MT8791T, MT8797 |
Affected:
Modem NR15
|
|
| mediatek | mt6833 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6833:*:*:*:*:*:*:*:* |
|
| mediatek | mt6853 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6853:*:*:*:*:*:*:*:* |
|
| mediatek | mt6855 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6855:*:*:*:*:*:*:*:* |
|
| mediatek | mt6873 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6873:*:*:*:*:*:*:*:* |
|
| mediatek | mt6875 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6875:*:*:*:*:*:*:*:* |
|
| mediatek | mt6875t |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6875t:*:*:*:*:*:*:*:* |
|
| mediatek | mt6877 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6877:*:*:*:*:*:*:*:* |
|
| mediatek | mt6883 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6883:*:*:*:*:*:*:*:* |
|
| mediatek | mt6885 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6885:*:*:*:*:*:*:*:* |
|
| mediatek | mt6889 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6889:*:*:*:*:*:*:*:* |
|
| mediatek | mt6891 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6891:*:*:*:*:*:*:*:* |
|
| mediatek | mt6893 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt6893:*:*:*:*:*:*:*:* |
|
| mediatek | mt8675 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt8675:*:*:*:*:*:*:*:* |
|
| mediatek | mt8771 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt8771:*:*:*:*:*:*:*:* |
|
| mediatek | mt8791t |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt8791t:*:*:*:*:*:*:*:* |
|
| mediatek | mt8797 |
Affected:
0 , < *
(custom)
cpe:2.3:h:mediatek:mt8797:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:mediatek:mt6833:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6833",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6853:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6853",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6855:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6855",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6873:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6873",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6875:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6875",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6875t:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6875t",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6877:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6877",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6883:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6883",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6885:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6885",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6889:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6889",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6891:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6891",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt6893:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt6893",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt8675:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt8675",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt8771:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt8771",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt8791t:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt8791t",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:mediatek:mt8797:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mt8797",
"vendor": "mediatek",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-20069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T18:16:36.426035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T20:21:58.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:52:31.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://corp.mediatek.com/product-security-bulletin/June-2024"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MT6833, MT6853, MT6855, MT6873, MT6875, MT6875T, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8675, MT8771, MT8791T, MT8797",
"vendor": "MediaTek, Inc.",
"versions": [
{
"status": "affected",
"version": "Modem NR15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In modem, there is a possible selection of less-secure algorithm during the VoWiFi IKE due to a missing DH downgrade check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01286330; Issue ID: MSV-1430."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T02:12:39.404Z",
"orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"shortName": "MediaTek"
},
"references": [
{
"url": "https://corp.mediatek.com/product-security-bulletin/June-2024"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
"assignerShortName": "MediaTek",
"cveId": "CVE-2024-20069",
"datePublished": "2024-06-03T02:04:48.667Z",
"dateReserved": "2023-11-02T13:35:35.171Z",
"dateUpdated": "2024-08-01T21:52:31.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8773 (GCVE-0-2024-8773)
Vulnerability from cvelistv5 – Published: 2025-03-24 12:33 – Updated: 2025-03-24 13:02- CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2025/03/CVE-2024-8773/ | third-party-advisory |
| https://cert.pl/posts/2025/03/CVE-2024-8773/ | third-party-advisory |
| https://simple.com.pl/produkty/simple-erp/dla-kogo/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| Simple SA | SIMPLE.ERP |
Affected:
6.20 , < 6.30@a03.9
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T13:02:45.871651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T13:02:52.846Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SIMPLE.ERP",
"vendor": "Simple SA",
"versions": [
{
"lessThan": "6.30@a03.9",
"status": "affected",
"version": "6.20",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "dr in\u017c. Marcin Ochab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SIMPLE.ERP client is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification.\u003cbr\u003e\u003cbr\u003eThis issue affect SIMPLE.ERP from 6.20 to 6.30. Only the 6.30 version received a patch 6.30@a03.9, which make it possible for an administrator to enforce encrypted communication. Versions 6.20 and 6.25 remain unpatched.\u003cbr\u003e"
}
],
"value": "SIMPLE.ERP client is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification.\n\nThis issue affect SIMPLE.ERP from 6.20 to 6.30. Only the 6.30 version received a patch 6.30@a03.9, which make it possible for an administrator to enforce encrypted communication. Versions 6.20 and 6.25 remain unpatched."
}
],
"impacts": [
{
"capecId": "CAPEC-569",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-569 Collect Data as Provided by Users"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T12:33:15.769Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/03/CVE-2024-8773/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2025/03/CVE-2024-8773/"
},
{
"tags": [
"product"
],
"url": "https://simple.com.pl/produkty/simple-erp/dla-kogo/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Protocol Downgrade in SIMPLE.ERP",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-8773",
"datePublished": "2025-03-24T12:33:15.769Z",
"dateReserved": "2024-09-13T07:44:58.907Z",
"dateUpdated": "2025-03-24T13:02:52.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4995 (GCVE-0-2024-4995)
Vulnerability from cvelistv5 – Published: 2024-12-18 11:36 – Updated: 2025-10-07 13:20| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2024/12/CVE-2024-4995/ | third-party-advisory |
| https://cert.pl/posts/2024/12/CVE-2024-4995/ | third-party-advisory |
| https://wapro.pl/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| Asseco Business Solutions S.A. | Wapro ERP Desktop |
Affected:
0 , < 9.00.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-4995",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-18T14:49:13.283552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T13:20:30.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wapro ERP Desktop",
"vendor": "Asseco Business Solutions S.A.",
"versions": [
{
"lessThan": "9.00.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-12-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Wapro ERP Desktop \u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eis vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification.\u0026nbsp;\u003c/span\u003e\u003cp\u003eThis issue affects Wapro ERP Desktop versions before 9.00.0.\u003c/p\u003e"
}
],
"value": "Wapro ERP Desktop is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification.\u00a0This issue affects Wapro ERP Desktop versions before 9.00.0."
}
],
"impacts": [
{
"capecId": "CAPEC-569",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-569 Collect Data as Provided by Users"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-03T08:55:28.841Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/12/CVE-2024-4995/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/12/CVE-2024-4995/"
},
{
"tags": [
"product"
],
"url": "https://wapro.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Protocol Downgrade in Wapro ERP Desktop",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2024-4995",
"datePublished": "2024-12-18T11:36:47.588Z",
"dateReserved": "2024-05-16T10:39:00.184Z",
"dateUpdated": "2025-10-07T13:20:30.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2974 (GCVE-0-2023-2974)
Vulnerability from cvelistv5 – Published: 2023-07-04 13:24 – Updated: 2024-08-02 06:41- CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2023:3809 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2023-2974 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2211026 | issue-trackingx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Quarkus 2.13.8.Final |
Unaffected:
2.13.8.Final-redhat-00004 , < *
(rpm)
cpe:/a:redhat:quarkus:2.13 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:03.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2023:3809",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3809"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-2974"
},
{
"name": "RHBZ#2211026",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:2.13"
],
"defaultStatus": "affected",
"packageName": "io.quarkus/quarkus-grpc",
"product": "Red Hat build of Quarkus 2.13.8.Final",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.13.8.Final-redhat-00004",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:2.13"
],
"defaultStatus": "affected",
"packageName": "io.quarkus/quarkus-vertx-http",
"product": "Red Hat build of Quarkus 2.13.8.Final",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.13.8.Final-redhat-00004",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Alexander Schwartz (Red Hat)."
}
],
"datePublic": "2023-06-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T15:32:35.950Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:3809",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:3809"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-2974"
},
{
"name": "RHBZ#2211026",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-30T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-06-29T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Quarkus-core: tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol",
"x_redhatCweChain": "CWE-757: Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-2974",
"datePublished": "2023-07-04T13:24:29.648Z",
"dateReserved": "2023-05-30T10:06:53.993Z",
"dateUpdated": "2024-08-02T06:41:03.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-33160 (GCVE-0-2022-33160)
Vulnerability from cvelistv5 – Published: 2023-10-06 21:09 – Updated: 2024-09-19 16:24- CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7047071 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Security Directory Suite |
Affected:
8.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:01:19.651Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7047071"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228568"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-33160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T16:24:41.822746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T16:24:51.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Security Directory Suite",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "8.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Security Directory Suite 8.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228568."
}
],
"value": "IBM Security Directory Suite 8.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228568."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-06T21:09:11.698Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7047071"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228568"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Security Directory Suite information disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-33160",
"datePublished": "2023-10-06T21:09:11.698Z",
"dateReserved": "2022-06-13T16:18:00.246Z",
"dateUpdated": "2024-09-19T16:24:51.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23000 (GCVE-0-2022-23000)
Vulnerability from cvelistv5 – Published: 2022-07-25 18:46 – Updated: 2024-08-03 03:28- CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
| URL | Tags |
|---|---|
| https://www.westerndigital.com/support/product-se… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Western Digital | My Cloud |
Affected:
My Cloud OS 5 , < 5.23.114
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.001Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Linux"
],
"product": "My Cloud",
"vendor": "Western Digital",
"versions": [
{
"lessThan": "5.23.114",
"status": "affected",
"version": "My Cloud OS 5",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an \"SSL\" context instead of \"TLS\" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T18:46:02.000Z",
"orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
"shortName": "WDC PSIRT"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114"
}
],
"solutions": [
{
"lang": "en",
"value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Weak Default SSL use in Port Forwarding Service",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@wdc.com",
"ID": "CVE-2022-23000",
"STATE": "PUBLIC",
"TITLE": "Weak Default SSL use in Port Forwarding Service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "My Cloud",
"version": {
"version_data": [
{
"platform": "Linux",
"version_affected": "\u003c",
"version_name": "My Cloud OS 5",
"version_value": "5.23.114"
}
]
}
}
]
},
"vendor_name": "Western Digital"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an \"SSL\" context instead of \"TLS\" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-757 Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114",
"refsource": "MISC",
"url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114"
}
]
},
"solution": [
{
"lang": "en",
"value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
"assignerShortName": "WDC PSIRT",
"cveId": "CVE-2022-23000",
"datePublished": "2022-07-25T18:46:02.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:28:43.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36326 (GCVE-0-2021-36326)
Vulnerability from cvelistv5 – Published: 2021-11-30 20:40 – Updated: 2024-09-17 02:16- CWE-757 - Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-in/00019369… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | Dell EMC Streaming Data Platform |
Affected:
unspecified , < 1.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:54:51.369Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/en-in/000193697/dsa-2021-205-dell-emc-streaming-data-platform-security-update-for-third-party-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Dell EMC Streaming Data Platform",
"vendor": "Dell",
"versions": [
{
"lessThan": "1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757: Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-30T20:40:13.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dell.com/support/kbdoc/en-in/000193697/dsa-2021-205-dell-emc-streaming-data-platform-security-update-for-third-party-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2021-11-19",
"ID": "CVE-2021-36326",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Dell EMC Streaming Data Platform",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.3"
}
]
}
}
]
},
"vendor_name": "Dell"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format."
}
]
},
"impact": {
"cvss": {
"baseScore": 6.5,
"baseSeverity": "Medium",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-757: Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dell.com/support/kbdoc/en-in/000193697/dsa-2021-205-dell-emc-streaming-data-platform-security-update-for-third-party-vulnerabilities",
"refsource": "MISC",
"url": "https://www.dell.com/support/kbdoc/en-in/000193697/dsa-2021-205-dell-emc-streaming-data-platform-security-update-for-third-party-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2021-36326",
"datePublished": "2021-11-30T20:40:13.891Z",
"dateReserved": "2021-07-08T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:16:35.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16200 (GCVE-0-2020-16200)
Vulnerability from cvelistv5 – Published: 2020-09-18 17:53 – Updated: 2025-06-04 21:21| URL | Tags |
|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01 | x_refsource_MISC |
| https://www.philips.com/a-w/security/security-adv… |
| Vendor | Product | Version | |
|---|---|---|---|
| Philips | Clinical Collaboration Platform |
Affected:
0 , < 12.2.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:37:54.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Clinical Collaboration Platform",
"vendor": "Philips",
"versions": [
{
"lessThan": "12.2.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Northridge Hospital Medical Center reported these vulnerabilities to Philips."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePhilips Clinical Collaboration Platform, Versions 12.2.1 and prior, \n\ndoes not properly control the allocation and maintenance of a limited \nresource, thereby enabling an attacker to influence the amount of \nresources consumed, eventually leading to the exhaustion of available \nresources.\n\n\u003c/p\u003e"
}
],
"value": "Philips Clinical Collaboration Platform, Versions 12.2.1 and prior, \n\ndoes not properly control the allocation and maintenance of a limited \nresource, thereby enabling an attacker to influence the amount of \nresources consumed, eventually leading to the exhaustion of available \nresources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T21:21:08.344Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01"
},
{
"url": "https://www.philips.com/a-w/security/security-advisories/product-security-2020.html#2020_archive"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003ePhilips \nrequires manual intervention to remediate CVE-2020-16200.\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e\u003cp\u003eUsers with questions regarding their specific Philips Clinical \nCollaboration Platform installations and new release eligibility should \ncontact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.usa.philips.com/healthcare/solutions/customer-service-solutions\"\u003ePhilips service support, or regional service support\u003c/a\u003e, or call 1-877-328-2808, option 4.\u003c/p\u003e\u003cp\u003eThe Philips advisory and the latest security information for Philips products are available at the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.philips.com/productsecurity\"\u003ePhilips product security website\u003c/a\u003e.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Philips \nrequires manual intervention to remediate CVE-2020-16200.\n\n\n\n\n\nUsers with questions regarding their specific Philips Clinical \nCollaboration Platform installations and new release eligibility should \ncontact Philips service support, or regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions , or call 1-877-328-2808, option 4.\n\nThe Philips advisory and the latest security information for Philips products are available at the Philips product security website https://www.philips.com/productsecurity ."
}
],
"source": {
"advisory": "ICSMA-20-261-01",
"discovery": "EXTERNAL"
},
"title": "Philips Clinical Collaboration Platform Algorithm Downgrade",
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-14506",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Philips Clinical Collaboration Platform",
"version": {
"version_data": [
{
"version_value": "Versions 12.2.1 and prior"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CROSS-SITE REQUEST FORGERY (CSRF) CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-16200",
"datePublished": "2020-09-18T17:53:23.000Z",
"dateReserved": "2020-07-31T00:00:00.000Z",
"dateUpdated": "2025-06-04T21:21:08.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
CAPEC-220: Client-Server Protocol Manipulation
An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions.
CAPEC-606: Weakening of Cellular Encryption
An attacker, with control of a Cellular Rogue Base Station or through cooperation with a Malicious Mobile Network Operator can force the mobile device (e.g., the retransmission device) to use no encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode).
CAPEC-620: Drop Encryption Level
An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data.