Search
Total
16 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26154 | 1 Pubnub | 4 C-core, Kotlin, Pubnub and 1 more | 2023-12-11 | N/A | 5.9 MEDIUM |
| Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. **Note:** In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption. | |||||
| CVE-2022-20941 | 1 Cisco | 1 Firepower Management Center | 2023-08-08 | N/A | 5.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to access sensitive information. This vulnerability is due to missing authorization for certain resources in the web-based management interface together with insufficient entropy in these resource names. An attacker could exploit this vulnerability by sending a series of HTTPS requests to an affected device to enumerate resources on the device. A successful exploit could allow the attacker to retrieve sensitive information from the device. | |||||
| CVE-2021-31797 | 1 Cyberark | 1 Credential Provider | 2023-08-08 | 1.9 LOW | 5.1 MEDIUM |
| The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure. | |||||
| CVE-2023-38357 | 1 Rws | 1 Worldserver | 2023-08-04 | N/A | 5.3 MEDIUM |
| Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions. | |||||
| CVE-2021-31798 | 1 Cyberark | 1 Credential Provider | 2022-07-12 | 1.9 LOW | 4.4 MEDIUM |
| The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files. | |||||
| CVE-2022-27221 | 1 Siemens | 1 Sinema Remote Connect Server | 2022-06-22 | 4.3 MEDIUM | 5.9 MEDIUM |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). An attacker in machine-in-the-middle could obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack. | |||||
| CVE-2017-6030 | 1 Schneider-electric | 6 Modicon M221, Modicon M221 Firmware, Modicon M241 and 3 more | 2022-02-03 | 6.4 MEDIUM | 6.5 MEDIUM |
| A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections. | |||||
| CVE-2021-42138 | 1 Thalesgroup | 1 Safenet Windows Logon Agent | 2022-01-03 | 3.5 LOW | 6.5 MEDIUM |
| A user of a machine protected by SafeNet Agent for Windows Logon may leverage weak entropy to access the encrypted credentials of any or all the users on that machine. | |||||
| CVE-2021-3505 | 3 Fedoraproject, Libtpms Project, Redhat | 3 Fedora, Libtpms, Enterprise Linux | 2021-06-03 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality. | |||||
| CVE-2016-2858 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2020-10-15 | 1.9 LOW | 6.5 MEDIUM |
| QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption. | |||||
| CVE-2019-9555 | 1 Sagemcom | 2 F\@st 5260, F\@st 5260 Firmware | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| Sagemcom F@st 5260 routers using firmware version 0.4.39, in WPA mode, default to using a PSK that is generated from a 2-part wordlist of known values and a nonce with insufficient entropy. The number of possible PSKs is about 1.78 billion, which is too small. | |||||
| CVE-2016-2564 | 1 Invisioncommunity | 1 Invision Power Board | 2020-06-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation. | |||||
| CVE-2008-1447 | 6 Canonical, Cisco, Debian and 3 more | 8 Ubuntu Linux, Ios, Debian Linux and 5 more | 2020-03-24 | 5.0 MEDIUM | 6.8 MEDIUM |
| The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." | |||||
| CVE-2015-3006 | 1 Juniper | 3 Junos, Qfx3500, Qfx3600 | 2020-03-10 | 6.8 MEDIUM | 6.5 MEDIUM |
| On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for some time, but immediately after boot, the entropy is very low. This issue only affects the QFX3500 and QFX3600 switches. No other Juniper Networks products or platforms are affected by this weak entropy vulnerability. | |||||
| CVE-2018-8435 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2019-10-03 | 2.3 LOW | 4.2 MEDIUM |
| A security feature bypass vulnerability exists when Windows Hyper-V BIOS loader fails to provide a high-entropy source, aka "Windows Hyper-V Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | |||||
| CVE-2017-2626 | 2 Freedesktop, Redhat | 6 Libice, Enterprise Linux Desktop, Enterprise Linux Server and 3 more | 2019-07-14 | 2.1 LOW | 5.5 MEDIUM |
| It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list. | |||||