Vulnerabilities (CVE)

Filtered by CWE-327
Total 459 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-9526 1 Cs2-network 1 P2p 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
CVE-2020-9491 1 Apache 1 Nifi 2024-11-21 5.0 MEDIUM 7.5 HIGH
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.
CVE-2020-8912 1 Amazon 1 Aws S3 Crypto Sdk 2024-11-21 2.1 LOW 2.5 LOW
A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
CVE-2020-8911 1 Amazon 1 Aws S3 Crypto Sdk 2024-11-21 2.1 LOW 5.6 MEDIUM
A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.
CVE-2020-8897 1 Amazon 1 Aws Encryption Sdk 2024-11-21 5.5 MEDIUM 4.8 MEDIUM
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.
CVE-2020-7689 1 Node.bcrypt.js Project 1 Node.bcrypt.js 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
Data is truncated wrong when its length is greater than 255 bytes.
CVE-2020-7514 1 Schneider-electric 1 Easergy Builder 2024-11-21 4.6 MEDIUM 7.8 HIGH
A CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker access to the authorization credentials for a device and gain full access.
CVE-2020-7511 1 Schneider-electric 2 Easergy T300, Easergy T300 Firmware 2024-11-21 5.0 MEDIUM 7.5 HIGH
A CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to acquire a password by brute force.
CVE-2020-7339 1 Mcafee 1 Database Security 2024-11-21 5.8 MEDIUM 6.3 MEDIUM
Use of a Broken or Risky Cryptographic Algorithm vulnerability in McAfee Database Security Server and Sensor prior to 4.8.0 in the form of a SHA1 signed certificate that would allow an attacker on the same local network to potentially intercept communication between the Server and Sensors.
CVE-2020-7001 1 Moxa 4 Eds-510e, Eds-510e Firmware, Eds-g516e and 1 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
In Moxa EDS-G516E Series firmware, Version 5.2 or lower, the affected products use a weak cryptographic algorithm, which may allow confidential information to be disclosed.
CVE-2020-6987 1 Moxa 110 Pt-7528-12msc-12tx-4gsfp-hv, Pt-7528-12msc-12tx-4gsfp-hv-hv, Pt-7528-12msc-12tx-4gsfp-hv-hv Firmware and 107 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
In Moxa PT-7528 series firmware, Version 4.0 or lower, and PT-7828 series firmware, Version 3.9 or lower, the affected products use a weak cryptographic algorithm, which may allow confidential information to be disclosed.
CVE-2020-6984 1 Rockwellautomation 6 Micrologix 1100, Micrologix 1100 Firmware, Micrologix 1400 and 3 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic function utilized to protect the password in MicroLogix is discoverable.
CVE-2020-6874 1 Zte 2 Zxiptv, Zxiptv Firmware 2024-11-21 5.5 MEDIUM 9.1 CRITICAL
A ZTE product is impacted by the cryptographic issues vulnerability. The encryption algorithm is not properly used, so remote attackers could use this vulnerability for account credential enumeration attack or brute-force attack for password guessing. This affects: ZXIPTV, ZXIPTV-WEB-PV5.09.08.04.
CVE-2020-6861 1 Ledger 3 Monero, Nano S, Nano X 2024-11-21 2.1 LOW 5.5 MEDIUM
A flawed protocol design in the Ledger Monero app before 1.5.1 for Ledger Nano and Ledger S devices allows a local attacker to extract the master spending key by sending crafted messages to this app selected on a PIN-entered Ledger connected to a host PC.
CVE-2020-6857 1 Taskautomation 1 Carbonftp 2024-11-21 2.1 LOW 5.5 MEDIUM
CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for local FTP server passwords is hard-coded in the binary.
CVE-2020-5943 1 F5 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
In versions 14.1.0-14.1.0.1 and 14.1.2.5-14.1.2.7, when a BIG-IP object is created or listed through the REST interface, the protected fields are obfuscated in the REST response, not protected via a SecureVault cryptogram as TMSH does. One example of protected fields is the GTM monitor password.
CVE-2020-5229 1 Apereo 1 Opencast 2024-11-21 5.5 MEDIUM 7.7 HIGH
Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user's password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated. For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint.
CVE-2020-4968 1 Ibm 1 Security Identity Governance And Intelligence 2024-11-21 3.3 LOW 6.5 MEDIUM
IBM Security Identity Governance and Intelligence 5.2.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192427.
CVE-2020-4965 1 Ibm 12 Collaborative Lifecycle Management, Doors Next, Engineering Insights and 9 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
IBM Jazz Team Server products use weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 192422.
CVE-2020-4937 5 Hp, Ibm, Linux and 2 more 7 Hp-ux, Aix, I and 4 more 2024-11-21 5.0 MEDIUM 7.5 HIGH
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 191814.