CWE-326
Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVE-2021-38121 (GCVE-0-2021-38121)
Vulnerability from cvelistv5 – Published: 2024-08-28 06:28 – Updated: 2024-08-28 13:29
VLAI
Title
Weak communication protocol identified in Advance Authentication client application
Summary
Insufficient or weak TLS protocol version identified in Advance authentication client server communication when specific service is accessed between devices. This issue affects NetIQ Advance Authentication versions before 6.3.5.1
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| OpenText | NetIQ Advance Authentication |
Affected:
6.3.5.1 , < <
(server)
|
|
| microfocus | netiq_advanced_authentication |
Affected:
0 , < 6.3.5.1
(semver)
cpe:2.3:a:microfocus:netiq_advanced_authentication:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:microfocus:netiq_advanced_authentication:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "netiq_advanced_authentication",
"vendor": "microfocus",
"versions": [
{
"lessThan": "6.3.5.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-38121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T13:28:39.335154Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T13:29:45.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux",
"MacOS"
],
"product": "NetIQ Advance Authentication",
"vendor": "OpenText",
"versions": [
{
"lessThan": "\u003c",
"status": "affected",
"version": "6.3.5.1",
"versionType": "server"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient or weak TLS protocol version identified in Advance authentication client server communication when specific service is accessed between devices.\u0026nbsp; This issue affects NetIQ Advance Authentication versions before 6.3.5.1\u003cbr\u003e"
}
],
"value": "Insufficient or weak TLS protocol version identified in Advance authentication client server communication when specific service is accessed between devices.\u00a0 This issue affects NetIQ Advance Authentication versions before 6.3.5.1"
}
],
"impacts": [
{
"capecId": "CAPEC-217",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-217 Exploiting Incorrectly Configured SSL/TLS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T06:28:43.452Z",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "OpenText"
},
"references": [
{
"url": "https://www.netiq.com/documentation/advanced-authentication-63/advanced-authentication-releasenotes-6351/data/advanced-authentication-releasenotes-6351.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Weak communication protocol identified in Advance Authentication client application",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "OpenText",
"cveId": "CVE-2021-38121",
"datePublished": "2024-08-28T06:28:43.452Z",
"dateReserved": "2021-08-04T20:57:01.489Z",
"dateUpdated": "2024-08-28T13:29:45.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38464 (GCVE-0-2021-38464)
Vulnerability from cvelistv5 – Published: 2021-10-19 12:10 – Updated: 2024-09-17 03:33
VLAI
Title
InHand Networks IR615 Router
Summary
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have inadequate encryption strength, which may allow an attacker to intercept the communication and steal sensitive information or hijack the session.
Severity
6.4 (Medium)
CWE
- CWE-326 - INADEQUATE ENCRYPTION STRENGTH CWE-326
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| InHand Networks | IR615 Router |
Affected:
2.3.0.r4724 and 2.3.0.r4870
|
Date Public
2021-10-07 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:44:22.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "IR615 Router",
"vendor": "InHand Networks",
"versions": [
{
"status": "affected",
"version": "2.3.0.r4724 and 2.3.0.r4870"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Haviv Vaizman, Hay Mizrachi, Alik Koldobsky, Ofir Manzur, and Nikolay Sokolik of OTORIO reported these vulnerabilities to CISA."
}
],
"datePublic": "2021-10-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "InHand Networks IR615 Router\u0027s Versions 2.3.0.r4724 and 2.3.0.r4870 have inadequate encryption strength, which may allow an attacker to intercept the communication and steal sensitive information or hijack the session."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "INADEQUATE ENCRYPTION STRENGTH CWE-326",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-19T12:10:19.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05"
}
],
"source": {
"advisory": "ICSA-21-280-05",
"discovery": "UNKNOWN"
},
"title": "InHand Networks IR615 Router",
"workarounds": [
{
"lang": "en",
"value": "InHand Networks has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of this affected product are invited to contact InHand Networks customer support."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-10-07T20:12:00.000Z",
"ID": "CVE-2021-38464",
"STATE": "PUBLIC",
"TITLE": "InHand Networks IR615 Router"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "IR615 Router",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.3.0.r4724 and 2.3.0.r4870"
}
]
}
}
]
},
"vendor_name": "InHand Networks"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Haviv Vaizman, Hay Mizrachi, Alik Koldobsky, Ofir Manzur, and Nikolay Sokolik of OTORIO reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "InHand Networks IR615 Router\u0027s Versions 2.3.0.r4724 and 2.3.0.r4870 have inadequate encryption strength, which may allow an attacker to intercept the communication and steal sensitive information or hijack the session."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "INADEQUATE ENCRYPTION STRENGTH CWE-326"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-280-05"
}
]
},
"source": {
"advisory": "ICSA-21-280-05",
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "InHand Networks has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of this affected product are invited to contact InHand Networks customer support."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-38464",
"datePublished": "2021-10-19T12:10:19.637Z",
"dateReserved": "2021-08-10T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:33:36.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40341 (GCVE-0-2021-40341)
Vulnerability from cvelistv5 – Published: 2023-01-05 21:26 – Updated: 2025-04-10 13:31
VLAI
Title
Weak DES encryption
Summary
DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily. This issue affects
* FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C;
* UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C.
List of CPEs:
* cpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi Energy | FOXMAN-UN |
Affected:
FOXMAN-UN R16A
Affected: FOXMAN-UN R15B Affected: FOXMAN-UN R15A Affected: FOXMAN-UN R14B Affected: FOXMAN-UN R14A Affected: FOXMAN-UN R11B Affected: FOXMAN-UN R11A Affected: FOXMAN-UN R10C Affected: FOXMAN-UN R9C |
|
| Hitachi Energy | UNEM |
Affected:
UNEM R16A
Affected: UNEM R15B Affected: UNEM R15A Affected: UNEM R14B Affected: UNEM R14A Affected: UNEM R11B Affected: UNEM R11A Affected: UNEM R10C Affected: UNEM R9C |
Date Public
2022-12-13 13:30
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:27:31.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-40341",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T13:30:48.243722Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T13:31:25.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FOXMAN-UN",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "FOXMAN-UN R16A"
},
{
"status": "affected",
"version": "FOXMAN-UN R15B"
},
{
"status": "affected",
"version": "FOXMAN-UN R15A"
},
{
"status": "affected",
"version": "FOXMAN-UN R14B"
},
{
"status": "affected",
"version": "FOXMAN-UN R14A"
},
{
"status": "affected",
"version": "FOXMAN-UN R11B"
},
{
"status": "affected",
"version": "FOXMAN-UN R11A"
},
{
"status": "affected",
"version": "FOXMAN-UN R10C"
},
{
"status": "affected",
"version": "FOXMAN-UN R9C"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UNEM",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "UNEM R16A"
},
{
"status": "affected",
"version": "UNEM R15B"
},
{
"status": "affected",
"version": "UNEM R15A"
},
{
"status": "affected",
"version": "UNEM R14B"
},
{
"status": "affected",
"version": "UNEM R14A"
},
{
"status": "affected",
"version": "UNEM R11B"
},
{
"status": "affected",
"version": "UNEM R11A"
},
{
"status": "affected",
"version": "UNEM R10C"
},
{
"status": "affected",
"version": "UNEM R9C"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "K-Businessom AG, Austria"
}
],
"datePublic": "2022-12-13T13:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily.\u0026nbsp;\u003cp\u003eThis issue affects\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eFOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C;\u0026nbsp;\u003c/li\u003e\u003cli\u003eUNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003eList of CPEs:\u0026nbsp;\u003cbr\u003e\u003cul\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:*\u003c/li\u003e\u003cli\u003ecpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
}
],
"value": "DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily.\u00a0This issue affects\u00a0\n\n\n\n * FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C;\u00a0\n * UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C.\n\n\n\n\nList of CPEs:\u00a0\n * cpe:2.3:a:hitachienergy:foxman-un:R16A:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:foxman-un:R15B:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:foxman-un:R15A:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:foxman-un:R14B:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:foxman-un:R14A:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:foxman-un:R11B:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:foxman-un:R11A:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:foxman-un:R10C:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:foxman-un:R9C:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:unem:R16A:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:unem:R15B:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:unem:R15A:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:unem:R14B:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:unem:R14A:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:unem:R11B:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:unem:R11A:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:unem:R10C:*:*:*:*:*:*:*\n * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-20",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-20 Encryption Brute Forcing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-05T21:26:42.760Z",
"orgId": "e383dce4-0c27-4495-91c4-0db157728d17",
"shortName": "Hitachi Energy"
},
"references": [
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000084\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Weak DES encryption",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nThe vulnerabilities are partially remediated in FOXMAN-UN R16A or UNEM R16A, the full remediation will be done in the upcoming release (planned).\n\u003cbr\u003e\u003cbr\u003eFor immediate recommended mitigation actions if using FOXMAN-UN R16A or UNEM R16A,\nplease refer to the \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDatabase contains credentials with weak encryption\u003c/span\u003e\n\nclause of section Mitigation Factors/Workarounds\nin the respective products\u0027 advisory.\n\u003cbr\u003e\u003cbr\u003eFor immediate recommended mitigation actions if using FOXMAN-UN R15B or UNEM R15B and earlier, please refer to the multiple clauses of section Mitigation Factors/Workarounds in the advisory\u003cbr\u003e\u003cul\u003e\u003cli\u003eSecure the NMS CLIENT/SERVER communication.\u0026nbsp;\u003c/li\u003e\u003cli\u003eEmbedded FOXCST with RADIUS authentication should be avoided.\u0026nbsp;\u003c/li\u003e\u003cli\u003eDatabase contains credentials with weak encryption.\n\n\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\nThe vulnerabilities are partially remediated in FOXMAN-UN R16A or UNEM R16A, the full remediation will be done in the upcoming release (planned).\n\n\nFor immediate recommended mitigation actions if using FOXMAN-UN R16A or UNEM R16A,\nplease refer to the \n\nDatabase contains credentials with weak encryption\n\nclause of section Mitigation Factors/Workarounds\nin the respective products\u0027 advisory.\n\n\nFor immediate recommended mitigation actions if using FOXMAN-UN R15B or UNEM R15B and earlier, please refer to the multiple clauses of section Mitigation Factors/Workarounds in the advisory\n * Secure the NMS CLIENT/SERVER communication.\u00a0\n * Embedded FOXCST with RADIUS authentication should be avoided.\u00a0\n * Database contains credentials with weak encryption.\n\n\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17",
"assignerShortName": "Hitachi Energy",
"cveId": "CVE-2021-40341",
"datePublished": "2023-01-05T21:26:42.760Z",
"dateReserved": "2021-08-31T20:24:21.498Z",
"dateUpdated": "2025-04-10T13:31:25.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1318 (GCVE-0-2022-1318)
Vulnerability from cvelistv5 – Published: 2022-04-20 15:30 – Updated: 2025-04-16 16:28
VLAI
Title
Hills ComNav Inadequate Encryption Strength
Summary
Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. The communication encryption scheme is theoretically sound, but is not strong enough for the level of protection required.
Severity
6.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.corporate.carrier.com/Images/CARR-PSA… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Interlogix | ComNav |
Affected:
All , ≤ 3002-19
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:05.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.corporate.carrier.com/Images/CARR-PSA-Hills-ComNav-002-1121_tcm558-149392.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1318",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:53:29.431648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:28:22.881Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ComNav",
"vendor": "Interlogix",
"versions": [
{
"lessThanOrEqual": "3002-19",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dr Paul Gardner-Stephen, Flinders University and DEWC Systems, Australia "
},
{
"lang": "en",
"value": "Jacob Thompson, Flinders University, Australia"
},
{
"lang": "en",
"value": "Dr Samuel Chenoweth, Defence Science and Technology Group, Australia"
}
],
"descriptions": [
{
"lang": "en",
"value": "Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. The communication encryption scheme is theoretically sound, but is not strong enough for the level of protection required."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-20T15:30:35.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.corporate.carrier.com/Images/CARR-PSA-Hills-ComNav-002-1121_tcm558-149392.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "Carrier recommends users upgrade to Version 4000-12 or later, which is the latest supported version at the time of this publication. Please contact the Hills distributor to acquire the firmware update.\nMore information on this issue can be found in Carrier product security advisory number CARR-PSA-002-1121.\n"
}
],
"source": {
"advisory": "CARR-PSA-2021-02",
"discovery": "EXTERNAL"
},
"title": "Hills ComNav Inadequate Encryption Strength",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2022-1318",
"STATE": "PUBLIC",
"TITLE": "Hills ComNav Inadequate Encryption Strength"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ComNav",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "All",
"version_value": "3002-19"
}
]
}
}
]
},
"vendor_name": "Interlogix"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Dr Paul Gardner-Stephen, Flinders University and DEWC Systems, Australia "
},
{
"lang": "eng",
"value": "Jacob Thompson, Flinders University, Australia"
},
{
"lang": "eng",
"value": "Dr Samuel Chenoweth, Defence Science and Technology Group, Australia"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. The communication encryption scheme is theoretically sound, but is not strong enough for the level of protection required."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-326 Inadequate Encryption Strength"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.corporate.carrier.com/Images/CARR-PSA-Hills-ComNav-002-1121_tcm558-149392.pdf",
"refsource": "CONFIRM",
"url": "https://www.corporate.carrier.com/Images/CARR-PSA-Hills-ComNav-002-1121_tcm558-149392.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "Carrier recommends users upgrade to Version 4000-12 or later, which is the latest supported version at the time of this publication. Please contact the Hills distributor to acquire the firmware update.\nMore information on this issue can be found in Carrier product security advisory number CARR-PSA-002-1121.\n"
}
],
"source": {
"advisory": "CARR-PSA-2021-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-1318",
"datePublished": "2022-04-20T15:30:35.000Z",
"dateReserved": "2022-04-11T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:28:22.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24318 (GCVE-0-2022-24318)
Vulnerability from cvelistv5 – Published: 2022-02-09 22:05 – Updated: 2024-08-03 04:07
VLAI
Summary
A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)
Severity
No CVSS data available.
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://download.schneider-electric.com/files?p_D… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions) |
Affected:
ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:07:02.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326: Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-09T22:05:09.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2022-24318",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)",
"version": {
"version_data": [
{
"version_value": "ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo SCADA Expert 2019 (All Versions), EcoStruxure Geo SCADA Expert 2020 (All Versions)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-326: Inadequate Encryption Strength"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05",
"refsource": "MISC",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-05"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2022-24318",
"datePublished": "2022-02-09T22:05:09.000Z",
"dateReserved": "2022-02-02T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:07:02.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26306 (GCVE-0-2022-26306)
Vulnerability from cvelistv5 – Published: 2022-07-25 00:00 – Updated: 2024-08-03 05:03
VLAI
Title
Execution of Untrusted Macros Due to Improper Certificate Validation
Summary
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.
Severity
No CVSS data available.
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The Document Foundation | LibreOffice |
Affected:
7.2 , < 7.2.7
(custom)
Affected: 7.3 , < 7.3.1 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:03:31.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306"
},
{
"name": "[oss-security] 20220812 CVE-2022-37400: Apache OpenOffice Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/1"
},
{
"name": "[debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "LibreOffice",
"vendor": "The Document Foundation",
"versions": [
{
"lessThan": "7.2.7",
"status": "affected",
"version": "7.2",
"versionType": "custom"
},
{
"lessThan": "7.3.1",
"status": "affected",
"version": "7.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "OpenSource Security GmbH on behalf of the German Federal Office for Information Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user\u0027s configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-26T00:00:00.000Z",
"orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
"shortName": "Document Fdn."
},
"references": [
{
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306"
},
{
"name": "[oss-security] 20220812 CVE-2022-37400: Apache OpenOffice Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master Password",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/1"
},
{
"name": "[debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Execution of Untrusted Macros Due to Improper Certificate Validation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
"assignerShortName": "Document Fdn.",
"cveId": "CVE-2022-26306",
"datePublished": "2022-07-25T00:00:00.000Z",
"dateReserved": "2022-02-28T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:03:31.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26307 (GCVE-0-2022-26307)
Vulnerability from cvelistv5 – Published: 2022-07-25 00:00 – Updated: 2024-08-03 05:03
VLAI
Title
Weak Master Keys
Summary
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.
Severity
No CVSS data available.
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The Document Foundation | LibreOffice |
Affected:
7.2 , < 7.2.7
(custom)
Affected: 7.3 , < 7.3.3 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:03:31.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307"
},
{
"name": "[oss-security] 20220812 CVE-2022-37401: Apache OpenOffice Weak Master Keys",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/2"
},
{
"name": "[debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "LibreOffice",
"vendor": "The Document Foundation",
"versions": [
{
"lessThan": "7.2.7",
"status": "affected",
"version": "7.2",
"versionType": "custom"
},
{
"lessThan": "7.3.3",
"status": "affected",
"version": "7.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "OpenSource Security GmbH on behalf of the German Federal Office for Information Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "LibreOffice supports the storage of passwords for web connections in the user\u2019s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-26T00:00:00.000Z",
"orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
"shortName": "Document Fdn."
},
"references": [
{
"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307"
},
{
"name": "[oss-security] 20220812 CVE-2022-37401: Apache OpenOffice Weak Master Keys",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/2"
},
{
"name": "[debian-lts-announce] 20230326 [SECURITY] [DLA 3368-1] libreoffice security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Weak Master Keys",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
"assignerShortName": "Document Fdn.",
"cveId": "CVE-2022-26307",
"datePublished": "2022-07-25T00:00:00.000Z",
"dateReserved": "2022-02-28T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:03:31.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2640 (GCVE-0-2022-2640)
Vulnerability from cvelistv5 – Published: 2022-12-12 01:50 – Updated: 2025-04-16 16:05
VLAI
Summary
The Config-files of Horner Automation’s RCC 972 with firmware version 15.40 are encrypted with weak XOR encryption vulnerable to reverse engineering. This could allow an attacker to obtain credentials to run services such as File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP).
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Horner Automation | Remote Compact Controller (RCC) 972 |
Affected:
Firmware Version 15.40
|
Date Public
2022-12-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-335-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:53:28.758678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:05:18.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Remote Compact Controller (RCC) 972",
"vendor": "Horner Automation",
"versions": [
{
"status": "affected",
"version": "Firmware Version 15.40"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "m1etz reported these vulnerabilities through the Computer Emergency Response Team, CERT-Bund, to CISA"
}
],
"datePublic": "2022-12-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Config-files of Horner Automation\u2019s RCC 972 with firmware version 15.40 are encrypted with weak XOR encryption vulnerable to reverse engineering. This could allow an attacker to obtain credentials to run services such as File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-02T00:00:00.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-335-02"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-2640",
"datePublished": "2022-12-12T01:50:00.293Z",
"dateReserved": "2022-08-03T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:05:18.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2758 (GCVE-0-2022-2758)
Vulnerability from cvelistv5 – Published: 2022-08-31 15:33 – Updated: 2025-04-16 16:11
VLAI
Title
Update
Summary
Passwords are not adequately encrypted during the communication process between all versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric XG5000 software prior to V4.0 and LS Electric PLCs: all versions of XGK-CPUU/H/A/S/E prior to V3.50, all versions of XGI-CPUU/UD/H/S/E prior to V3.20, all versions of XGR-CPUH prior to V1.80, all versions of XGB-XBMS prior to V3.00, all versions of XGB-XBCH prior to V1.90, and all versions of XGB-XECH prior to V1.30. This would allow an attacker to identify and decrypt the password of the affected PLCs by sniffing the PLC’s communication traffic.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
1 reference
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| LS Industrial Systems (LSIS) Co. Ltd LS Electric | XG5000 |
Affected:
All versions , < V4.0
(custom)
|
|
| LS Industrial Systems (LSIS) Co. Ltd LS Electric | PLC: XGB-XECH |
Affected:
All versions , < V1.30
(custom)
|
|
| LS Industrial Systems (LSIS) Co. Ltd LS Electric | PLC: XGB-XBCH |
Affected:
All versions , < V1.90
(custom)
|
|
| LS Industrial Systems (LSIS) Co. Ltd LS Electric | PLC: XGB-XBMS |
Affected:
All versions , < V3.00
(custom)
|
|
| LS Industrial Systems (LSIS) Co. Ltd LS Electric | PLC: XGR-CPUH |
Affected:
All versions , < V1.80
(custom)
|
|
| LS Industrial Systems (LSIS) Co. Ltd LS Electric | PLC: XGI-CPUU/UD/H/S/E |
Affected:
All versions , < V3.20
(custom)
|
|
| LS Industrial Systems (LSIS) Co. Ltd LS Electric | PLC: XGK-CPUU/H/A/S/E |
Affected:
All versions , < V3.50
(custom)
|
Date Public
2022-08-16 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:50:15.763986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:11:29.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "XG5000",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V4.0",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGB-XECH",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V1.30",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGB-XBCH",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V1.90",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGB-XBMS",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V3.00",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGR-CPUH",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V1.80",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGI-CPUU/UD/H/S/E",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V3.20",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
},
{
"product": "PLC: XGK-CPUU/H/A/S/E",
"vendor": "LS Industrial Systems (LSIS) Co. Ltd LS Electric",
"versions": [
{
"lessThan": "V3.50",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Hong-Gi Kin of the Korea Internet \u0026 Security Agency (KISA) reported this vulnerability."
}
],
"datePublic": "2022-08-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Passwords are not adequately encrypted during the communication process between all versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric XG5000 software prior to V4.0 and LS Electric PLCs: all versions of XGK-CPUU/H/A/S/E prior to V3.50, all versions of XGI-CPUU/UD/H/S/E prior to V3.20, all versions of XGR-CPUH prior to V1.80, all versions of XGB-XBMS prior to V3.00, all versions of XGB-XBCH prior to V1.90, and all versions of XGB-XECH prior to V1.30. This would allow an attacker to identify and decrypt the password of the affected PLCs by sniffing the PLC\u2019s communication traffic."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-14T00:00:00.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-228-02"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Update",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2022-2758",
"datePublished": "2022-08-31T15:33:03.944Z",
"dateReserved": "2022-08-10T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:11:29.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32753 (GCVE-0-2022-32753)
Vulnerability from cvelistv5 – Published: 2024-03-22 15:26 – Updated: 2024-08-03 07:46
VLAI
Title
IBM Security Verify Directory information disclosure
Summary
IBM Security Verify Directory 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228444.
Severity
4.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-326 - Inadequate Encryption Strength
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7145001 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Security Verify Directory |
Affected:
10.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-32753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T21:19:13.147757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T21:19:22.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:46:44.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7145001"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228444"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Security Verify Directory",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Security Verify Directory 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228444."
}
],
"value": "IBM Security Verify Directory 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228444."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T15:26:23.956Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7145001"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228444"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Security Verify Directory information disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2022-32753",
"datePublished": "2024-03-22T15:26:23.956Z",
"dateReserved": "2022-06-09T15:49:18.231Z",
"dateUpdated": "2024-08-03T07:46:44.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.